1) Yes, store this kind of information outside of your web-root. But I am not sure if Apache will return the source even if php's parser crashes. If you are using the module version of php, Apache should be able to "re-start" itself when such error is found. I believe you can setup Apache (and maybe other servers) to not start, or restart, if certain procedures are not met. If anything fails, simple doesn't start at all.
I also believe php's cgi version has the same behaviour, ie: The server will try to send the request again if it "crashes". 2) Sessions are identified either from a cookie, or appending the SID (or similar) at the url, or both. Anyone who has access to the temporary session files (or database, whetever you store it), can read them, altought I believe that if you can't get the list of files in there, you won't guess the actual filename (it's something like 27bf1bb8b919e7c35217f76e45f1e86a) -- Julio Nobrega. Um dia eu chego lá: http://sourceforge.net/projects/toca Ajudei? Salvei? Que tal um presentinho? http://www.submarino.com.br/wishlistclient.asp?wlid=664176742884 "Jan Peuker" <[EMAIL PROTECTED]> wrote in message 00f101c1efad$ef688670$7164a8c0@toshiba">news:00f101c1efad$ef688670$7164a8c0@toshiba... > Sorry for answering with a new question. > But, what's if, say, the PHP-Parser crashes (or a filename is changed) and > Apache returns the source. How is it simply possible to store passwords > somewhere a httpd-users won't see it? (e.g. in the includes-Folder, am I > right?) > And are session-variables send per post or does the next script reads it > from the session-file so nobody can't read them? > Regars, > > Jan Peuker > > ----- Original Message ----- > From: "Miguel Cruz" <[EMAIL PROTECTED]> > To: "Jay Fitzgerald" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Monday, April 29, 2002 8:33 PM > Subject: Re: [PHP] PHP Security > > > > On Mon, 29 Apr 2002, Jay Fitzgerald wrote: > > > Can someone point me in the right direction in determining just how > secure > > > PHP really is? > > > > What are you actually trying to find out? > > > > As far as actual security problems in PHP, where the interpreter behaves > > contrary to documentation when provided with extraordinary inputs, the > > team has been very responsive with fixes (in contrast with, say, > > Microsoft). > > > > If you are wondering about the security of any given application developed > > in PHP, well, that's up to the developers of that application. > > > > miguel > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php