>> That does not stop another php user fopen'ing your config file.

This is a point that needs to be stressed.  The other posts about keeping db
connection info outside of the web tree and naming the files .php are good
ones, but even with them, there can be major security problems on a shared
virtual host, which many / most hosting providers provide.

For example, a malicious user gets an account on a shared host with PHP
(probably Perl, too) installed.  They then do an fopen on the /etc/passwd
file to see which users are on the machine and where their directories are.
If shadow passwords aren't used, they also get the encrypted password.

With that knowledge they can use the standard PHP directory commands like
dir to get a listing of all the files in a user's home directory and then
they can fopen whichever one they'd like.

In these setups, the same user (nobody, www, etc.) has read access to all of
these files.  If it didn't, you script wouldn't work.  Once a user finds a
password for a mysql database, they can just:

DROP database_name


DELETE FROM table_name

Possible solutions:

1) Run your own server (not possible in many cases)

2) Run php in safe mode (something a hosting provider must do, will break
some/many apps)

3) Make sure that your mysql users have only the necessary permissions,
i.e., don't give the user insert/update/delete privs if they only need to

4) Don't store sensitive data in databases on shared servers.

5) Backup everything from databases regularly and hope you never really need
to use them.

Hope that helps.


Paul Burney

Paul Burney
Webmaster && Open Source Developer
(310) 825-8365

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to