>>> 2) I store the db password and login info in a database.inc.php file. >>> Is there any way I can prevent a person from getting the db pass even >>> after he gets this file? >> >> Store that file outside the docroot. That way there is no chance they >> can get it from the web site. I myself use an ini file that is no >> where near the docroot, and use parse_ini_file() to load the DB >> information in, and then I connect to it. This method passed our >> security audit with flying colors. > >Okay - this may be a dumb question - but if the file is named >database.inc.php - how would someone get this file without having ftp or >ssh or telnet access to the server. If they have access to the server - >it would be just as easy to collect the information outside of the doc >root, since that file has to be readable by the webserver also yes?
Yes, but if an outsider can gain SSH access, then Apache's security is meaningless, too. If you are concerned about security, you will also disable FTP and telnet (or at least restrict them severely). --------------------------------------------------------------------- michal migurski- contact info and pgp key: sf/ca http://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
