On Mon, 30 Jun 2003, Peter Janett wrote:
> This issue seems to be a huge issue, and I've been looking for a good
> solution for quite a long time.  My concern is that a shell emulating PHP or
> Perl script run as Apache can read or copy ANY PHP script used with PHP as
> an Apache module.

The reason I use php_value settings in Apache configuration files is to
get round these problems.  Provided these configuration files are only
able to be read by Apache when starting up (running as root, binding to
port 80, opening log files etc) no users' login shells, perl CGI scripts,
or shell CGI scripts can read them.  The only place that they are
available is to PHP scripts run in the relevant directory.  They cannot be
seen by PHP scripts run in other virtual servers or outwith the specified 
directory tree.

As far as I can see the only downside is that they are still held in plain 
text anywhere, and that Apache has to be restarted (gracefully) whenever 
they are changed.  It does of course assume that whoever is managing the 
server (has root access) is trusted with the MySQL passwords.

The only real doubt at the back of my mind about this is that a clever 
mod_perl programmer might be able to get Apache to disclose the 
information that should only be seen by PHP.  But then, you don't go 
around letting just anyone install mod_perl hacks in your server do you?

I'd be very grateful if anyone out there who can see any problems with my 
approach would let me know.

Graham Rule                                             <[EMAIL PROTECTED]>
Computing Services, The University of Edinburgh        Phone: +44 131 650 6628
Main Library, George Sq, Edinburgh EH8 9LJ             Fax:   +44 131 650 6547

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to