Not really a direct solution, but anyways...You could use Turck MMCache to convert the code into bytecode. That way nobody can see the password, atleast not too easily.
- Sid On Thu, 01 Jul 2004 16:28:57 +0100, Peter Risdon <[EMAIL PROTECTED]> wrote: > > Bob Hockney wrote: > > Gerben wrote: > > > > > >>I think he is talking about the password that is written inside the script > >>in the mysql_connect statement. I think he is worried that someone could > >>access it's code and find out the DB password. > > > > > > What I am concerned about is a local user on the server machine, not access through > > the web server. It sounds like it can be done if there is a separate user or > > group for the > > web server process, but this site specific. It would be difficult to distribute a > > program > > and use a generalized install routine to install the file containing the passwords > > to be > > edited by the site admin. > > > > -Bob > > > > The only way I know to achieve this is to install apache with the suexec > option. This has no effect on mod_php but does on the cgi version. So > then install the cgi version of php. A virtual host can run with the > effective uid and gid of the account holder (user). Scripts can then be > installed in the cgi-bin, owned by that user with permissions 0700. No > other user can see them yet apache will be able to execute them. The > database password can be in your script or in an include file with these > permissions. > > If you want to distribute a program, there are obvious problems - apache > is not always installed suexec and the cgi version of php is rarely > installed (it doesn't conflict in any way with mod_php, though. You can > have both). > > Bear in mind that this issue affects every distributed php application, > including horde, php groupware and so on. Most shared servers run a form > of ftp that chroots users into their home directories, and this helps. > The main thing is to keep the file with the password out of the webspace > (an include path can be anywhere), or make an apache configuration file > part of your distribution, to be included in httpd.conf (viz horde), > that restricts access to a directory that is intended for configuration > files. > > Peter. > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
