And make sure you make sure the webserver will not SERVE that file!!!  You
see the source, see that you are fopening the file, I'll find it on your
system and get it from the web server and I have your password!

Make sure the file is NOT in the document root that the web server serves
from.  You could also just use the file ".htpasswd", usually by default web
servers will NOT serve any file named that.  However, much safer to put it
somewhere that the web server cannot see (but your PHP script can).

Also, this is just as insecure as the other way to any person with a login
on the box your PHP script is in.  Usually the script is owned by
nobody:nobody or read-write all, in which case all local users can get your

The nobody method at least keeps no password.


On Wed, 6 Nov 2002, Steve Cayford wrote:

> You could put it anywhere. Stick it in a text file somewhere, fopen()
> and read the file for the password. Or keep it in a php script outside
> of the web root if that's the issue, then just include() it when you
> need to.
> Of course any file you put it in will have to be readable by whatever
> user the webserver is running as.
> -Steve
> On Wednesday, November 6, 2002, at 04:16  PM, 1LT John W. Holmes wrote:
> >> I was wondering if it is possible to protect my password to the
> > MySQL-server
> >> from being in a PHP-script.  Now I can't do that, so everybody who
> >> gets to
> >> see my php-sourcecode also can see my (not protected/not encrypted)
> >> password.
> >> How can I change this?
> >
> > You can't, unless you want to put it in php.ini or a my.conf file...
> >
> > ---John Holmes...
> >
> >
> > --
> > PHP Database Mailing List (
> > To unsubscribe, visit:
> >
> --
> PHP Database Mailing List (
> To unsubscribe, visit:

Peter Beckman            Systems Engineer, Fairfax Cable Access Corporation
[EMAIL PROTECTED]                   

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to