Julius wrote, > While installing the UpdateForm recipe (for interfacing with a mysql > database), I bumped > into a security issue. On > http://www.pmwiki.org/wiki/Cookbook/UpdateForm is says: > > 3. Define (either in the script or in config.php) the constants > DB_SERVER, DB_NAME, DB_USER, > and DB_PASS to match your database, like so: > > define ('DB_SERVER', 'db1.example.com'); > define ('DB_NAME', 'my_database'); > define ('DB_USER', 'my_username'); > define ('DB_PASS', 'my_password'); > > But I prefer to not store these inside my web/doc root. > What is the best option to do this then? > > Should I best put > > require_once("../dbinclude.php"); > > in /local/config.php or in updateform.php ? > where dbinclude.php is: > <?php include("/home/path_to_dbase_access_variables_stuff.php"); ?> > > or will the require_once cause trouble and should I use the include directly?
Hi, Julius. Require and include do basically the same thing, so there's no need to require a file that does nothing but include another file; you might as well do it in one step. However, I question whether what you're suggesting will do any good, since the file with the passwords in it has to be readable by the Web server in order to be included by PHP, and as I understand it, that means it will also readable by anyone who has access to your Web document root directory. I haven't tried it, though, so I may be mistaken. Let me know what you find out! Ben Stallings Interdependent Web _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
