Re: [PHP] how to hide dbconnect file if its in publisheddirectory?
On Tuesday 10 July 1979 12:55 am, [EMAIL PROTECTED] wrote: on 7/10/01 1:01 AM, Navid A. Yar at [EMAIL PROTECTED] wrote: Hmmm, I was wondering about security of PHP also. Does anyone know the general issues of security within PHP documents? My thought is that PHP cannot be seen when you view a source anyway, so isn't it secure enough (besides the basic firewall and system security)? If you have some function in a file called say ... functions.inc you can see the php script if you call functions.inc from a browser... because the server won't do the php code in an inc file... how do I change this!? Name the file ... functions.inc.php and insure that you have the php start and end tags on it. -- Regards, John Weaver -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in publisheddirectory?
The suggestion to use the .php extension instead of the .inc extension doesn't work. I created to identical files, swordfish.php and swordfish.inc, containing the following script: ?php define(PASSWORD, swordfish); ? When I use the following lines include ('http://www.friendshipcenter.com/Objects/swordfish.inc'); echo Your password is , PASSWORD; it works, i.e., prints Your password is swordfish. When I use the following lines include ('http://www.friendshipcenter.com/Objects/swordfish.php'); echo Your password is , PASSWORD; it doesn't work, i.e., prints Your password is PASSWORD. I tried putting swordfish.inc in my cgi-bin directory, which is outside my www directory. I can't figure out what pathname to call it with. I.e., include ('cgi-bin/swordfish.inc'); can't find the file. As I wrote earlier, my .inc files can be read by anyone typing in the URL. It doesn't matter if there are ?php ? lines. .inc files don't execute. I rent server space from phpwebhosting.com, so I can't change the PHP settings. Any other ideas how to hide a password file? -- Thomas David Kehoe, author of THE EVOLUTION OF INTIMATE RELATIONSHIPS How Our Brains Are Hardwired For Relationships http://www.FriendshipCenter.com/TEIR/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in publisheddirectory?
I didn't read the first parts of this thread, but the reason for it working in the first example and not the second is because the web server/php engine process php files when they're called over HTTP. This means that the define() call is being executed, but your primary script only includes what is sent through output. Since there is no output, there is no value to include. You can include(/path/to/local/dir/file.php) and it'll simply include the source code, not the processed output. But anything being called via HTTP will be processed as if you were viewing that file from a web browser. /* Chris Lambert, CTO - [EMAIL PROTECTED] WhiteCrown Networks - More Than White Hats Web Application Security - www.whitecrown.net */ - Original Message - From: Thomas David Kehoe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 10, 2001 2:37 PM Subject: Re: [PHP] how to hide dbconnect file if its in publisheddirectory? | The suggestion to use the .php extension instead of the .inc extension | doesn't work. | | I created to identical files, swordfish.php and swordfish.inc, containing | the following script: | | ?php | define(PASSWORD, swordfish); | ? | | When I use the following lines | | include ('http://www.friendshipcenter.com/Objects/swordfish.inc'); | echo Your password is , PASSWORD; | | it works, i.e., prints Your password is swordfish. | | When I use the following lines | | include ('http://www.friendshipcenter.com/Objects/swordfish.php'); | echo Your password is , PASSWORD; | | it doesn't work, i.e., prints Your password is PASSWORD. | | I tried putting swordfish.inc in my cgi-bin directory, which is outside my | www directory. I can't figure out what pathname to call it with. I.e., | | include ('cgi-bin/swordfish.inc'); | | can't find the file. | | As I wrote earlier, my .inc files can be read by anyone typing in the URL. | It doesn't matter if there are ?php ? lines. .inc files don't execute. | | I rent server space from phpwebhosting.com, so I can't change the PHP | settings. | | Any other ideas how to hide a password file? | -- | Thomas David Kehoe, author of | THE EVOLUTION OF INTIMATE RELATIONSHIPS | How Our Brains Are Hardwired For Relationships | http://www.FriendshipCenter.com/TEIR/ | | | -- | PHP General Mailing List (http://www.php.net/) | To unsubscribe, e-mail: [EMAIL PROTECTED] | For additional commands, e-mail: [EMAIL PROTECTED] | To contact the list administrators, e-mail: [EMAIL PROTECTED] | | | -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in publisheddirectory?
on 7/10/01 12:30 AM, John Weaver at [EMAIL PROTECTED] wrote: Sorry, I should have been more clear. If you write modular code, your included file will be nothing but a group of functions. Call a file with nothing but functions in it and you get; HTMLHEAD/HEAD/HTML. I can't see the security problem you refer to. Ahhh! I have this problem now ... do you put the ?php ? tags on an inc file? If not how do you keep people from reading it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] how to hide dbconnect file if its in publisheddirectory?
Hmmm, I was wondering about security of PHP also. Does anyone know the general issues of security within PHP documents? My thought is that PHP cannot be seen when you view a source anyway, so isn't it secure enough (besides the basic firewall and system security)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, July 09, 1979 11:40 PM To: [EMAIL PROTECTED]; Rasmus Lerdorf Cc: Noah Spitzer-Williams; [EMAIL PROTECTED] Subject: Re: [PHP] how to hide dbconnect file if its in publisheddirectory? on 7/10/01 12:30 AM, John Weaver at [EMAIL PROTECTED] wrote: Sorry, I should have been more clear. If you write modular code, your included file will be nothing but a group of functions. Call a file with nothing but functions in it and you get; HTMLHEAD/HEAD/HTML. I can't see the security problem you refer to. Ahhh! I have this problem now ... do you put the ?php ? tags on an inc file? If not how do you keep people from reading it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] how to hide dbconnect file if its in publisheddirectory?
on 7/10/01 1:01 AM, Navid A. Yar at [EMAIL PROTECTED] wrote: Hmmm, I was wondering about security of PHP also. Does anyone know the general issues of security within PHP documents? My thought is that PHP cannot be seen when you view a source anyway, so isn't it secure enough (besides the basic firewall and system security)? If you have some function in a file called say ... functions.inc you can see the php script if you call functions.inc from a browser... because the server won't do the php code in an inc file... how do I change this!? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]