On 4 Dec 2011, at 16:59, Andreas wrote: > Am 03.12.2011 23:54, schrieb Tamara Temple: >> If you give every application user a unique set of database access >> permissions, that means that any one of those users can access your data >> base WITHOUT going through your application if they manage to get access to >> your data base server. Is that clearer? Your application's users should not >> be able to access the data base directly. The application should be the >> thing to manage the data base. You may want to have different data base >> credentials for different user *roles* (plain, privileged, admin roles, >> etc), but to give *every* application individual data base unique >> credentials is not only unnecessary, but also a security risk. > > OK, then where or how is the most advisable place to store the application's > credentials. > > One way is to have it as constants in an seperate php-file somewhere within > the doc-root so php can easily access it as include. > An application that is to be put on an outside hoster's server has to do it > like this, I guess. > Mine will stay on a server within the LAN for now, so I've got root access. > > This way the web-server could display it in the probaply unlikely case > someone guesses the url to it AND the php-interpreter fails to process it > first. > > More likely a local user could read it, though. > > So how would I store it and restrict access to it?
Put it outside the document root so it can't be accessed directly. The only chance of it being displayed to a user then is via a really bad mis-configuration of the web server, or an error in the code, neither of which you can reasonably be expected to protect against (outside of effective testing). -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
