From: "Jonathan Rosenberg" <[EMAIL PROTECTED]> > Let's say I am in a shared server environment & the provider does > NOT have safe_mode turned on. In that case, it seems to me that > it is "insecure" to keep "secrets" (e.g., DB passwords) in a PHP > file that is executed by the server. > > I say this because any other users of that shared host can read > the PHP file & obtain the secret. There does not seem to be any > way around this (once again, I am assuming safe_mode is NOT > turned on). > > Am I correct?
Yep. If Apache and PHP can access a file, either directly through the web, or through an include()/require(), etc, then anyone on your machine can access that file. All PHP scripts run as the same user, the Apache user, so the system can't tell the difference between your script including a file, and someone else's script including a file. I thought we covered this about a week ago? ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php