>>>> 2) I store the db password and login info in a database.inc.php file. >>>> Is there any way I can prevent a person from getting the db pass even >>>> after he gets this file? >>> >>> Store that file outside the docroot. That way there is no chance they >>> can get it from the web site. I myself use an ini file that is no >>> where near the docroot, and use parse_ini_file() to load the DB >>> information in, and then I connect to it. This method passed our >>> security audit with flying colors. >> >> Okay - this may be a dumb question - but if the file is named >> database.inc.php - how would someone get this file without having ftp or >> ssh or telnet access to the server. If they have access to the server - >> it would be just as easy to collect the information outside of the doc >> root, since that file has to be readable by the webserver also yes? > > Yes, but if an outsider can gain SSH access, then Apache's security is > meaningless, too. If you are concerned about security, you will also > disable FTP and telnet (or at least restrict them severely).
That is precisely my point - if the user has shell access of any type you are compromised - but if they do not get server access - how could they possibly get the dotabase.inc.php? If that is called directly then it will be parsed, and as long as you are not outputting anything in this page, they will not see the user/pass that you have in there... > > --------------------------------------------------------------------- > michal migurski- contact info and pgp key: > sf/ca http://mike.teczno.com/contact.html > -- Cheers Mike Morton **************************************************** * * Tel: 905-465-1263 * Email: [EMAIL PROTECTED] * **************************************************** "Indeed, it would not be an exaggeration to describe the history of the computer industry for the past decade as a massive effort to keep up with Apple." - Byte Magazine Given infinite time, 100 monkeys could type out the complete works of Shakespeare. Win 98 source code? Eight monkeys, five minutes. -- NullGrey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
