RE: [PHP] Opinion on a method....
Put the connect info into a php file (i.e. connect.php). If it is ever directly accessed by the client the PHP engine will render a blank page. If your ini file is ever accessed by the client it will render the contents of the ini file. Wonder if removing rwx would adversly affect includes to this php file.. -Original Message- From: Dan Joseph [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 11:05 AM To: [EMAIL PROTECTED] Subject: [PHP] Opinion on a method Hi, I would like to get some opinions here on a method I'm doing to grab connect information for a mysql connection. Currently I am doing: $pinfo = fopen (/director1/directory2/filename.ini, r); I'm looking for a more secure method of doing this. Is XML a solution? Is there something else? Are you doing something similar? All opinions greatly appreciated... -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Opinion on a method....
Ahh, good thought. I also have it outside the web site directory tree. -Dan Joseph -Original Message- From: Bryan Lipscy [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 2:14 PM To: 'Dan Joseph'; [EMAIL PROTECTED] Subject: RE: [PHP] Opinion on a method Put the connect info into a php file (i.e. connect.php). If it is ever directly accessed by the client the PHP engine will render a blank page. If your ini file is ever accessed by the client it will render the contents of the ini file. Wonder if removing rwx would adversly affect includes to this php file.. -Original Message- From: Dan Joseph [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 11:05 AM To: [EMAIL PROTECTED] Subject: [PHP] Opinion on a method Hi, I would like to get some opinions here on a method I'm doing to grab connect information for a mysql connection. Currently I am doing: $pinfo = fopen (/director1/directory2/filename.ini, r); I'm looking for a more secure method of doing this. Is XML a solution? Is there something else? Are you doing something similar? All opinions greatly appreciated... -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Opinion on a method....
Hi Dan, I would like to get some opinions here on a method I'm doing to grab connect information for a mysql connection. Currently I am doing: $pinfo = fopen (/director1/directory2/filename.ini,r); Does this filename.ini contain the code to connect to your database? If so, I usually do two things with this file: 1. put it outside the document root, so users can't browse to it 2. put any code that might output something (an error message, for example) inside a function, so even if it is run, nothing will happen - you need to include() it and then call the function yourself. If it's just connection information, with no code (I'm a bit confused by the .ini extension :-) then just make sure it's somewhere outside your document root. Is XML a solution? I don't think XML is inherently any more secure than plain text - it's all down to how you store and transmit the data. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opinion on a method....
I would like to get some opinions here on a method I'm doing to grab connect information for a mysql connection. Currently I am doing: $pinfo = fopen (/director1/directory2/filename.ini, r); I'm looking for a more secure method of doing this. Is XML a solution? Is there something else? Are you doing something similar? So long as filename.ini is outside of your web root, you are fine. You could also just have a plain PHP file outside of your web root and use the include() function to get the variables... include.php: ? $host = localhost; $user = john; $password = mypass; ? index.php (or any other script) ? include(/path/to/include.php); mysql_connect($host,$user,$mypass); ? etc You can instead put the connection function within the include.php file, too. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Opinion on a method....
Hi Jon, the ini file looks like: hostipuserpassworddatabasename after I import it, I split it up, and assign each to a variable name. I also have it outside the doc root, and it gives a generic error msg for every error in the system (db related, or not). Should this do it? -Dan Joseph -Original Message- From: Jon Haworth [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 2:20 PM To: Dan Joseph; [EMAIL PROTECTED] Subject: RE: [PHP] Opinion on a method Hi Dan, I would like to get some opinions here on a method I'm doing to grab connect information for a mysql connection. Currently I am doing: $pinfo = fopen (/director1/directory2/filename.ini,r); Does this filename.ini contain the code to connect to your database? If so, I usually do two things with this file: 1. put it outside the document root, so users can't browse to it 2. put any code that might output something (an error message, for example) inside a function, so even if it is run, nothing will happen - you need to include() it and then call the function yourself. If it's just connection information, with no code (I'm a bit confused by the .ini extension :-) then just make sure it's somewhere outside your document root. Is XML a solution? I don't think XML is inherently any more secure than plain text - it's all down to how you store and transmit the data. Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Opinion on a method....
In a php file I can just include the connection information and reduce the overhead that comes with fopen. Still gives me one central spot for changing connection information as necessary. There is always more than one way to do it. -Bryan -Original Message- From: Dan Joseph [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 11:18 AM To: [EMAIL PROTECTED] Subject: RE: [PHP] Opinion on a method Ahh, good thought. I also have it outside the web site directory tree. -Dan Joseph -Original Message- From: Bryan Lipscy [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 2:14 PM To: 'Dan Joseph'; [EMAIL PROTECTED] Subject: RE: [PHP] Opinion on a method Put the connect info into a php file (i.e. connect.php). If it is ever directly accessed by the client the PHP engine will render a blank page. If your ini file is ever accessed by the client it will render the contents of the ini file. Wonder if removing rwx would adversly affect includes to this php file.. -Original Message- From: Dan Joseph [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 11:05 AM To: [EMAIL PROTECTED] Subject: [PHP] Opinion on a method Hi, I would like to get some opinions here on a method I'm doing to grab connect information for a mysql connection. Currently I am doing: $pinfo = fopen (/director1/directory2/filename.ini, r); I'm looking for a more secure method of doing this. Is XML a solution? Is there something else? Are you doing something similar? All opinions greatly appreciated... -Dan Joseph -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Opinion on a method....
- Original Message - From: Jon Haworth [EMAIL PROTECTED] To: Dan Joseph [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, April 04, 2003 12:19 PM Subject: RE: [PHP] Opinion on a method Hi Dan, I would like to get some opinions here on a method I'm doing to grab connect information for a mysql connection. Currently I am doing: $pinfo = fopen (/director1/directory2/filename.ini,r); Does this filename.ini contain the code to connect to your database? If so, I usually do two things with this file: 1. put it outside the document root, so users can't browse to it 2. put any code that might output something (an error message, for example) inside a function, so even if it is run, nothing will happen - you need to include() it and then call the function yourself. If it's just connection information, with no code (I'm a bit confused by the .ini extension :-) then just make sure it's somewhere outside your document root. Is XML a solution? I don't think XML is inherently any more secure than plain text - it's all down to how you store and transmit the data. Cheers Jon I will add in this case that include() is going to be no less secure than fopen(), plus it's going to be a whole hell of a lot easier. - Kevin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Opinion on a method....
Hi Dan, the ini file looks like: hostipuserpassworddatabasename after I import it, I split it up, and assign each to a variable name. I also have it outside the doc root, and it gives a generic error msg for every error in the system. Should do it - it's a bit of a long-winded route, though. As Kevin said, why not just use include()? It'll be a lot easier and just as safe :-) Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Opinion on a method....
Hi, Thanks to everyone for the input. Reason I'm not using an include is simple. The file does not contain any variables, it just has a line of text that is delimited. I guess I was just looking at the include() method as insecure. I can see how it wouldn't be now. Thanks to everyone! -Dan Joseph -Original Message- From: Jon Haworth [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [PHP] Opinion on a method Hi Dan, the ini file looks like: hostipuserpassworddatabasename after I import it, I split it up, and assign each to a variable name. I also have it outside the doc root, and it gives a generic error msg for every error in the system. Should do it - it's a bit of a long-winded route, though. As Kevin said, why not just use include()? It'll be a lot easier and just as safe :-) Cheers Jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Opinion on a method....
Reason I'm not using an include is simple. The file does not contain any variables, it just has a line of text that is delimited. I guess I was just looking at the include() method as insecure. I can see how it wouldn't be now. Why not create your .ini file in the same format as php.ini and use parse_ini_file() to read it. This will allow you to put in comments and name the variables so that when someone else sees this file or tries to edit your program, they'll know what the heck this file is. ;Host host = localhost ;User user = john ;Password password = mypass Then in PHP: $var = parse_ini_file(/path/to/filename.ini); echo $var['host']; echo $var['user']; echo $var['password']; etc... www.php.net/parse_ini_file Letting a native PHP function handle reading and loading the file into variables will be faster than a homegrown method from within PHP. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
