At 12:08 17-5-01 +0700, Kittiwat Manosuthi wrote:
>In a virtual hosting environment, even though a directory permission is
>set to 751, but you still need to leave world-readable permission on
>individual php file that is to be read from a browser. In a scenario
>where there's another user in the same server who can guess (or even
>get, from URL) the name of php files, he can simply: cd
>/home/user1/html; more thatfile.php. If thatfile.php contains
>username/pwd to a db, this can lead to a compromise on that db.
>Moreover, many times that db name is the same as username, as well as db
>pwd is the same as user password!
If your ISP installs it this way I'd say find another. Only a complete
idiot would create the same user and password for MySQL as for the normal
shell account. Bet they also allow telnet and doesn't have SSH installed.
Use an include for your database connects and put that file outside your
HTML doc root. If anyone screws up the Apache config your .php files with
passwords aren't shown to the visitor.
Bye,
B.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
