One more thing, make sure the application is running on its own server meaning don't use a shared hosting enviroment that allows others to gain access to your directories. In this case even placing the file outside of docroot doesnot secure it in anyway since any other user can access it with their php scripts since it is most likely that the webserver user is the same for all shared hosters. This can be allevated with safe_mode = on. I know this is a very specific scenario but none the less you should make sure this is not possible.
You could store the password encrypted and decrypt it before giving it to the database this way if anybody got the file they can not read the password. This of course still leaves it open where to store the keys. I wonder if there is way to actually securly store database passwords for scripts on a server without compromising security to some degree. It all comes down to one credo: There is no such thing as absolute security, the trick is to make retrieval of information as hard as possible. About security books: There are none that are specific to php that I know of but general books such as 'Hackers Guide' or so give you a fair deal of information (and sources) on how security can be compromised on your system. Don't forget your friend Google or someother Searchenginge for that matter. As allready mentioned: 1. Trust nobody, Validate everything 2. Watch out for SQL Injection 3. Close everything you don't need on your server 4. Let your php code be checked by others. Maybe even this list? 5. Turn of register_globals to prevent variable injection into your script 6. Turn your error level up to E_ALL to see all notices. This will prevent you from using uninitialized variables or using constants you have not defined. I find it helpfull to display all errors to screen during developement. Don't forget to turn this off for production purposes. In production regularly inspect the php error log. Regards Stefan Langer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
