> > I suppose include() can be used to include files from remote > > systems(not on > > WINDOWS). > > Only if the sysadmin running your web server allows it, which they should > not. > > > > A webmaster on the same server can always use a path like > > "/home/htdocs/.../config.php" and include my config .php which contains my > > database password !! > > Not quite, but if you are on a shared server hosted by somebody else, there > is a potential problem. If somebody can figure out the name of the function > that opens the database, they could call it, potemtially giving access to > the data. You could use the solution posted by Justin French to make sure > that the function does nothing for them when they call it. But probably the password is in variable so if you can include() the file with the password and cored dump the php you can view it. I've found a bug or two that core dump PHP and saw my secrets there. Even function or variables with mangled names will not help you.
> If you run your own server, you can set it up so that each webmaster is > locked into a private environment, but it's messy. According to me, you > would need a separate copy of apache for each site, each running under a > different user, and they would need to run on separate ports, which is a > nuisance. > This is called SAFE mode (easy to be done) and the other restriction is open_basedir directive in php.ini Andrey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php