At 6:22 PM +1000 9/5/01, speedboy wrote: > > $0 option: >> Put your user ID and password in a config file, then give only the >> webserver user access to it. Read the config file to make it work. This >> also allows easy switching between test and production environments. > >You can't change the group owner of a file unless you have root. > >That does not stop another php user fopen'ing your config file. > If your creating a config file, first always include .php or .php3 as part of the name, this means that if someone tries to directly access the file using a web browser the file compiles and prints as blank. Secondly, references to the config file should be placed after the <html> and before the <head> tags so even if the page breaks the path to file is never shown to the user. Additionally, if you like and your host is set-up for it, you can store config files and other includes in the (data) folder of your website. Many ISPs offer set-ups that include an (html), (data), (scripts), and (log) folder. The benefit of using a data folder is that it is inaccessible to anyone trying to access it without root permission. Files located in the (data) folder generally must be specified using the path_to_file method ( /myISP/theirHostArea/myUserName/data/) Generally speaking, the first two methods are secure enough. If a PHP user does guess the correct path to you config file, they generally can not access it using the http://www.yoursite.com/include/config.inc.php method, since the file pre-compiles as blank or empty. This means that they would need to gain root privileges to read the file as text. The data folder provides a nice extra layer of security, pretty much insuring that the file can't be called using the http:// method at all since its outside of your web root. Alnisa -- ......................................... Alnisa Allgood Executive Director Nonprofit Tech (ph) 415.337.7412 (fx) 415.337.7927 (url) http://www.nonprofit-techworld.org (url) http://www.nonprofit-tech.org (url) http://www.tech-library.org ......................................... Nonprofit Tech E-Update mailto:[EMAIL PROTECTED] ......................................... applying technology to transform ......................................... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
