Stut wrote: > Roberto Mansfield wrote: >> Bastien Koert wrote: >>> store your password/access credentials outside the web root and use php >>> to read the data in. >> >> This is good for web attacks, but I'm thinking of an account break in >> where someone is accessing files directly on the server. > > I suggest you think about this for a second before you start designing > with a really pointless obfuscation system. Say someone is accessing > files directly on the server... if they can get at the file that > contains the password then they can also get at the PHP code that will > de-obfuscate it. Spend your time locking the doors rather than putting > 5-minute obstacles in the path.
Yes, I have thought about this. We've spent time locking the doors. There are many layers in place. As I said, this is not the only type of security being considered. But if a new exploit comes out and someone does gain unauthorized access to the file system, I'd rather not hand them a plaintext password. So is anyone doing anything to protect plain text passwords in the filesystem? Thanks, Roberto -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
