> I suppose include() can be used to include files from remote
> systems(not on

Only if the sysadmin running your web server allows it, which they should

> A webmaster on the same server can always use a path like
> "/home/htdocs/.../config.php" and include my config .php which contains my
> database password !!

Not quite, but if you are on a shared server hosted by somebody else, there
is a potential problem.  If somebody can figure out the name of the function
that opens the database, they could call it, potemtially giving access to
the data.  You could use the solution posted by Justin French to make sure
that the function does nothing for them when they call it.

As other people have said, your hosting organisation should set the system
up so that nobody can read your PHP code, and that nobody outside the host
computer can include it.  However, I think it would be difficult for them to
stop another user on the same server including your code.

If you run your own server, you can set it up so that each webmaster is
locked into a private environment, but it's messy.  According to me, you
would need a separate copy of apache for each site, each running under a
different user, and they would need to run on separate ports, which is a

Simon Ritchie

Download my introduction to PHP for $25:

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to