Hi folks. Sorry if this gets posted twice, but I sent it originally almost an hour ago and it hasn't shown up on the list yet.
Thanks to all for the replies to my question about security on shared hosting the other day. I've contacted my hosting provider and they will be fixing the issues I've pointed out to them. I've got a question about a section of Chris's article on PHP security from his OSCON 2004 talk. When talking about protecting database credentials, Chris mentions creating a file (readable only by root) with the following: SetEnv DB_USER "myuser" SetEnv DB_PASS "mypass" and then using this: Include "/path/to/secret-stuff" in the httpd.conf file such that they show up in your $_SERVER array. I assume that the include directive would be declared inside the section of the httpd.conf file which defines everything for my site? This is probably a stupid question but I want to make sure of what I'm asking my hosting provider before I send my email. I'm also going to be asking them to set another environment variable, INC_PATH, and then I'll use this to reference the files which I'm including from outside my webroot, such that even if someone reads the files within my webroot, they won't see either the db username or password, nor will they see the path from which I am including sensitive files. Thoughts? Cheers and TIA, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
