On Mon, 23 Aug 2004, Adam Q wrote: > > Hrm, well, it's a very bad idea to put the database anywhere under the > > document root, because then you'd obviously be serving it for everyone > > to download. Encryption or no encryption, that's a very bad idea. > > Instead, you should place the database file outside of the document > > root (e.g. /usr/local/sqlite). Make sure that this directory is > > properly writable by the web server process and PHP, and you're done. > > Putting the files outside the document root is secure, I agree... But > how can you be sure of this with an open source application (as opposed > to internally developed)? People are likely to drop your application > anywhere in their web tree they think it fits. > > >> And I'm thinking specifically of shared hosting situations (where PHP > >> is used a great deal) where you are unable to change the hosting > >> configuration. > > > > These setups typically run with setuid and/or chroot solutions, which > > allow you (or the hosting provider) to solve that issue. > > How can I ask people to contact their hosting provider for a special > setup before using my application?
All shared hosts that I saw already provide you with such space. THey give you /home/your_site_name and in there www/ which is the webroot. YOu can do whatever you want in /home/your_site_name > I would like to distribute a tarball for a PHP application that can be > dropped into someones website along the same lines as PostNuke, > phpMyAdmin etc (you get the idea). Perhaps this is exactly why PostNuke is considered insecure? Derick -- Derick Rethans http://derickrethans.nl | http://ez.no | http://xdebug.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
