Absolutely correct!

Having said all of this, it is still a bad idea (certainly on UNIX systems,
I can't speak for Micro$oft) to keep passwords embedded in scripts in this
way, particularly if you are running PHP as a CGI process, it is a better
idea to have the appropriate passwords stored as variables inside a separate
script that is then called via and 'include' statement (which should then be
read-only to 'root' if memory server me right -its been a long time since I
ran PHP this way!).

Ben Stoneham
Technical Director - FCP Internet LTD.

___________________________________________________________________________

FCP Internet LTD - 'Making the Web Work for You'

70 Smithbrook Kilns, Cranleigh, Surrey, GU6 8JJ, UK.

Tel. 01483 272 303 Fax. 01483 272 303 mail: [EMAIL PROTECTED]

http://www.fcpl.com

___________________________________________________________________________

This message is confidential; Any unauthorised disclosure, use or
dissemination,

either whole or partial, is prohibited. If you are not the intended
recipient of the message, please notify the sender immediately.

-----Original Message-----
From: Doug Schasteen [mailto:[EMAIL PROTECTED]]
Sent: 20 February 2001 19:51
To: Don; php-db list
Subject: Re: [PHP-DB] PHP security


As far as I know, you can not download PHP programs without access to
download them. Meaning you need an account on the webserver, so they would
need your account user and pass before they could steal your mysql user and
pass. I don't know how frontpage works, but it would probably have to call
on the server to parse the php script before downloading it. There is no way
to download a PHP script as a "nobody" user without it being parsed by PHP
first.


----- Original Message -----
From: "Don" <[EMAIL PROTECTED]>
To: "php-db list" <[EMAIL PROTECTED]>
Sent: Tuesday, February 20, 2001 1:24 PM
Subject: [PHP-DB] PHP security


> I am writing aome PHP scripts to connect to a MySQL database.  In order
> to connect, I have found the following documented code:
>
> $dbLink = mysql_connect("localhost", "my_user", "my_password")
>
> Here, the password is plain text.  This does not seem very secure to
> me.  What is to prevent someone using a program like Frontpage to
> download my web and discover my password?
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
>
>


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to