On Tuesday, June 25, 2002, at 03:46  PM, Peter wrote:

> When you have the standard
> $link = mysql_connect("localhost","username","secretpassword");
> Would it not be possible for someone to use PHP from another server to
> download your source and find out your MySQL details including password?

Yes.  If they have access to the source, they can see these values.  If 
they don't have some way of seeing those files, though, they won't be 
able to do it.

For this reason it is a good idea to make sure that no one except you 
and the user that the webserver runs as can read your files.  For 
instance, all my files are actually readable to all (their mode is 644), 
except for one.  This one file is readable only to me and members the 
"apache" group, and it contains all of the database connection 
parameters.  Of course, the only member of the "apache" group is the 
"apache" user that the web server runs as, so no one else will be 
reading this file.

It's a luxury of having root access on my server, since this is pretty 
difficult to do without a root user (catch 22 -- how do you change the 
file to the "apache" group unless you are a member of the "apache" 
group, but if you are a member of the "apache" group then you can see 
all of the "protected" files in that group).

Also I have a directive that prevents Apache from serving any file with 
".inc" suffix, and this file does, so Apache (hopefully) won't serve 
this data to the world via port 80.



Erik Price
Web Developer Temp
Media Lab, H.H. Brown

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to