On Tuesday, June 25, 2002, at 03:46 PM, Peter wrote:
> When you have the standard
>
> $link = mysql_connect("localhost","username","secretpassword");
>
> Would it not be possible for someone to use PHP from another server to
> download your source and find out your MySQL details including password?
Yes. If they have access to the source, they can see these values. If
they don't have some way of seeing those files, though, they won't be
able to do it.
For this reason it is a good idea to make sure that no one except you
and the user that the webserver runs as can read your files. For
instance, all my files are actually readable to all (their mode is 644),
except for one. This one file is readable only to me and members the
"apache" group, and it contains all of the database connection
parameters. Of course, the only member of the "apache" group is the
"apache" user that the web server runs as, so no one else will be
reading this file.
It's a luxury of having root access on my server, since this is pretty
difficult to do without a root user (catch 22 -- how do you change the
file to the "apache" group unless you are a member of the "apache"
group, but if you are a member of the "apache" group then you can see
all of the "protected" files in that group).
Also I have a directive that prevents Apache from serving any file with
".inc" suffix, and this file does, so Apache (hopefully) won't serve
this data to the world via port 80.
Erik
----
Erik Price
Web Developer Temp
Media Lab, H.H. Brown
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
