While I've never actually had that happen (If Apache crashes, NOTHING goes out the socket...not the source to the page) in short, there is very little that you can do to protect yourself against this. For PHP to get to the file, it has to be readable but the user that Apache is running under. Since include files get shoveled in before the page is executed, if Apache were to spew the source, your include files would go with it.
That being said, I keep all my passwords in include files and keep the include files in directories that Apache can't serve directly. This provides some level of comfort. (but not a lot) =C= * * Cal Evans * Journeyman Programmer * Techno-Mage * http://www.calevans.com * -----Original Message----- From: Jan Peuker [mailto:[EMAIL PROTECTED]] Sent: Monday, April 29, 2002 1:45 PM To: [EMAIL PROTECTED] Subject: [PHP] In Addition to [PHP] PHP Security Sorry for answering with a new question. But, what's if, say, the PHP-Parser crashes (or a filename is changed) and Apache returns the source. How is it simply possible to store passwords somewhere a httpd-users won't see it? (e.g. in the includes-Folder, am I right?) And are session-variables send per post or does the next script reads it from the session-file so nobody can't read them? Regars, Jan Peuker ----- Original Message ----- From: "Miguel Cruz" <[EMAIL PROTECTED]> To: "Jay Fitzgerald" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, April 29, 2002 8:33 PM Subject: Re: [PHP] PHP Security > On Mon, 29 Apr 2002, Jay Fitzgerald wrote: > > Can someone point me in the right direction in determining just how secure > > PHP really is? > > What are you actually trying to find out? > > As far as actual security problems in PHP, where the interpreter behaves > contrary to documentation when provided with extraordinary inputs, the > team has been very responsive with fixes (in contrast with, say, > Microsoft). > > If you are wondering about the security of any given application developed > in PHP, well, that's up to the developers of that application. > > miguel > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php