At 6:22 PM +1000 9/5/01, speedboy wrote:
>  > $0 option:
>>  Put your user ID and password in a config file, then give only the
>>  webserver user access to it.  Read the config file to make it work.  This
>>  also allows easy switching between test and production environments.
>
>You can't change the group owner of a file unless you have root.
>
>That does not stop another php user fopen'ing your config file.
>

If your creating a config file, first always include .php or .php3 as 
part of the name, this means that if someone tries to directly access 
the file using a web browser the file compiles and prints as blank.

Secondly, references to the config file should be placed after the 
<html> and before the <head> tags so even if the page breaks the path 
to file is never shown to the user.

Additionally, if you like and your host is set-up for it, you can 
store config files and other includes in the (data) folder of your 
website. Many ISPs offer set-ups that include an (html), (data), 
(scripts), and (log) folder. The benefit of using a data folder is 
that it is inaccessible to anyone trying to access it without root 
permission. Files located in the (data) folder generally must be 
specified using the path_to_file method ( 
/myISP/theirHostArea/myUserName/data/)

Generally speaking, the first two methods are secure enough. If a PHP 
user does guess the correct path to you config file, they generally 
can not access it using the 
http://www.yoursite.com/include/config.inc.php method, since the file 
pre-compiles as blank or empty. This means that they would need to 
gain root privileges to read the file as text.

The data folder provides a nice extra layer of security, pretty much 
insuring that the file can't be called using the http:// method at 
all since its outside of your web root.

Alnisa
-- 
   .........................................
    Alnisa  Allgood
    Executive Director
    Nonprofit Tech
    (ph) 415.337.7412  (fx) 415.337.7927
    (url)  http://www.nonprofit-techworld.org
    (url)  http://www.nonprofit-tech.org
    (url)  http://www.tech-library.org
   .........................................
    Nonprofit Tech E-Update
    mailto:[EMAIL PROTECTED]
   .........................................
    applying technology to transform
   .........................................

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to