> On Tuesday, June 25, 2002, at 03:46 PM, Peter wrote:
>
> > When you have the standard
> >
> > $link = mysql_connect("localhost","username","secretpassword");
> >
> > Would it not be possible for someone to use PHP from another server to
> > download your source and find out your MySQL details including password?
>
> Yes. If they have access to the source, they can see these values. If
> they don't have some way of seeing those files, though, they won't be
> able to do it.
>
> For this reason it is a good idea to make sure that no one except you
> and the user that the webserver runs as can read your files. For
> instance, all my files are actually readable to all (their mode is 644),
> except for one. This one file is readable only to me and members the
> "apache" group, and it contains all of the database connection
> parameters. Of course, the only member of the "apache" group is the
> "apache" user that the web server runs as, so no one else will be
> reading this file.
And make sure PHP is in safe mode. Otherwise, on a virtual server, with many
users, I can write a php script that does this:
$fp = fopen("/path/to/your/htdocs/html/config.inc","r");
And read through your file. Since my script is running as apache, and apache
has access to your file, it'll work. That's why you run in safe mode, as I
understand it, at least.
If you run a dedicated server, then you're fine, you just have to keep
people from getting into your machine.
> Also I have a directive that prevents Apache from serving any file with
> ".inc" suffix, and this file does, so Apache (hopefully) won't serve
> this data to the world via port 80.
Or just name it with a php extension. Then the user won't receive anything,
either. I always name mine file.inc.php so something similar. Whatever you
do, make sure the source isn't sent by apache to the browser.
---John Holmes...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
