> --- Mike Morton <[EMAIL PROTECTED]> wrote: >> That is precisely my point - if the user has shell access of any >> type you are compromised - but if they do not get server access - >> how could they possibly get the dotabase.inc.php? If that is >> called directly then it will be parsed, and as long as you are not >> outputting anything in this page, they will not see the user/pass >> that you have in there... > > That's the perspective that is the cause of many security vulnerabilities. > > Why rely on some access restriction when you don't have to? You include code > using a filesystem path. There is no need for it to reside under document > root. > Yes, you can make it so that certain things are not served directly by the Web > server, but why take the extra risk? You gain nothing. What if you make a > mistake? What if you install a new version of Apache and that file accidently > gets served raw?
Fair enough - but that still does not answer my question. Is there a way to get a php document served raw if apache or whatever server is configured correctly? I am not saying that it is not a good practice - but some people do not have access to directories outside of their webroot - some host providers do not allow it. So back to the original question: "Maybe I am missing something totally obvious, but if the server is set up to properly parse php files - having configs outside of the doc root should not make much of a security difference? " Is this a true statement or not? (of course we have to make the assumption that server access has not been compromised....) Chris > > ===== > Become a better Web developer with the HTTP Developer's Handbook > http://httphandbook.org/ -- Cheers Mike Morton **************************************************** * * Tel: 905-465-1263 * Email: [EMAIL PROTECTED] * **************************************************** "Indeed, it would not be an exaggeration to describe the history of the computer industry for the past decade as a massive effort to keep up with Apple." - Byte Magazine Given infinite time, 100 monkeys could type out the complete works of Shakespeare. Win 98 source code? Eight monkeys, five minutes. -- NullGrey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
