This isn't as big a security issue as you might think, so long as your
config file is a file that will be parsed by the server instead of
echoing it out.
If your config.inc.php file is for example:
<?php
$password = '123456';
?>
then accessing it via Apache (i.e. hitting it with your web browser)
will result in no output. It can of course be included or required by
other php scripts.
Some (bad) applications still use *.inc files and if used on an
incorrectly configured server (i.e. one that is configured to serve up
.inc files as text/plain by way of absence of handler etc) then
revealing the information therein is just a case of accessing the file.
Here's an example of a report of this
http://www.vupen.com/english/advisories/2006/2664
The .htaccess method of Deny-ing access to files that match that
filespec is solid - SO LONG as your website obeys the directive and it's
configured properly. Test!
Cheers,
- Bob -
yeosteve wrote:
> Thanks everybody.
>
> I asked this dumb question partly because I was feeling dumb, but
> mainly to show my class at Natcoll that they can get great help from
> the community. It also came up because I have a client who has their
> site on an Openhost shared server, and they tell me I can't store
> files above the web root "for security reasons", so even my config
> file with my database details has to be stored in the public_html
> folder!!
>
>
--~--~---------~--~----~------------~-------~--~----~
NZ PHP Users Group: http://groups.google.com/group/nzphpug
To post, send email to [email protected]
To unsubscribe, send email to
[EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
