On 05 February 2004 11:30, Harry Sufehmi wrote:
<...SNIP...>
> As you can see, the content will be secured, but the script
> is now becoming the weak point since it'll store the
> encryption key needed to decrypt the content.
I hope you don't mean that literally. If you're really being security conscious, the
encryption keys should be in an include file that lives *outside* the Web document
tree. If your include path is given relative to the including script, a hacker also
has to know the local pathname to the script in order to deduce the location of the
included file containing the keys.
On my site, the *only* PHP scripts visible to the Web server look like this:
<?php
ini_set('include_path', '../../relative/path/to/includes/');
require 'real_script.php';
?>
... and the only reason that the include_path is set there and not in php.ini or
equivalent is that I'm not the admin of the server and don't have access to
configuration files!
Cheers!
Mike
---------------------------------------------------------------------
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
