On Mon, 30 Jun 2003, Peter Janett wrote: > This issue seems to be a huge issue, and I've been looking for a good > solution for quite a long time. My concern is that a shell emulating PHP or > Perl script run as Apache can read or copy ANY PHP script used with PHP as > an Apache module.
The reason I use php_value settings in Apache configuration files is to get round these problems. Provided these configuration files are only able to be read by Apache when starting up (running as root, binding to port 80, opening log files etc) no users' login shells, perl CGI scripts, or shell CGI scripts can read them. The only place that they are available is to PHP scripts run in the relevant directory. They cannot be seen by PHP scripts run in other virtual servers or outwith the specified directory tree. As far as I can see the only downside is that they are still held in plain text anywhere, and that Apache has to be restarted (gracefully) whenever they are changed. It does of course assume that whoever is managing the server (has root access) is trusted with the MySQL passwords. The only real doubt at the back of my mind about this is that a clever mod_perl programmer might be able to get Apache to disclose the information that should only be seen by PHP. But then, you don't go around letting just anyone install mod_perl hacks in your server do you? I'd be very grateful if anyone out there who can see any problems with my approach would let me know. Graham ------------------------------------------------------------------------------ Graham Rule <[EMAIL PROTECTED]> Computing Services, The University of Edinburgh Phone: +44 131 650 6628 Main Library, George Sq, Edinburgh EH8 9LJ Fax: +44 131 650 6547 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php