John, We're a four year college. Some maintainers are faculty, some are staff and some are work-study (students) and centrally we have little say over who can and can't. We use webdav but people inevitably share passwords (policies against doing such not withstanding) and that's a problem we can do little about until after the fact. Back in the days of cgi when executables were only allowed in cgi-bin which was exclusively under the control of the webmaster, passwords could be put into root-only readable files and read up by apache into it's environment, but that kind of control is unacceptable today in a liberal arts college environment. So the question is, how do we protect ourselves from folks who misbehave (after all, I do lock my front door even though in theory I trust my neighbors).
-- Rob --On Tuesday, March 01, 2005 07:57:31 PM -0500 John Holmes <[EMAIL PROTECTED]> wrote: > Rob Tanner wrote: >> WE have a number of PHP webpages that access one of several MySql >> databases and while the PHP files that contain the passwords cannot >> be accessed via the web, we are becoming increasingly concerned over >> the possibility of other webpage maintainers viewing those files. >> How have other folks protected database passwords needed by PHP apps? > > Who are these "other webpage maintainers" and why do they have access > to your PHP source code? This isn't a PHP issue. The MySQL password > has to be in a file as plain text; there's no getting around that (as > recently discussed on here). Your issue is controlling access to the > machine and the files, so is an OS/policy/trust issue, imo. -- Rob Tanner UNIX Services Manager Linfield College, McMinnville OR -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
