On Thu, 17 Feb 2005 20:47:28 -0600, .....hG <forums@xxxxxxxxxxxxxxxx> wrote: > > It makes me wonder how secure in reallity it is to place your UN and > Passwords on a PHP file. > Best idea is to place such information in an include file, which you can call using the include() or require() statements - and place it someplace outside of the document root. Eg: /users/~yourname/public_html/ might be where www.example.com maps to on the local file system, so put your includes in /users/~yourname/somewhere_else/ Also - do not name these files with a .inc extension. If you need to signify the fact that they are to be included in other pages, call give them .inc.php extensions. So if your webserver ever has a vulnerability whereby people can read files outside the document root (eg by typing http://www.example_site.com/../includes/dbpassword.inc.php) - the file will be parsed by PHP before being sent to the browser, thus hiding any mysql connect statements or $username variable declarations. The other type of exploit you might need to guard against is one where people can trick the server into not parsing PHP files, but sending them straight to the browser as plain text. This might be done by sending unicode chars, or by putting an extra . on the end of the filename. Eg: requesting http://www.example_site.com/includes/dbpassword.inc.php. This is more of a problem if you place such files within the document root. If you don't have access to space outside of the document root, then a) rattle your hosting provider's cage a little bit and b) protect these files with .htaccess and .htpasswd files (google for it if you haven't used .htaccess before). At least this way, if somebody does try to request the files directly with their web browser, they'll be prompted for a username and password. PHP, meanwhile will still be able to read the contents. If you're running some script which does have a load of files named .inc, and you don't want to go grepping every file, and changing all instances of .inc to .inc.php, and renaming all the files - then use .htaccess files to add php as a handler for all .inc files - so any file with a .inc extension will be treated exactly the same as if it had a .php extension - ie - it will be parsed by PHP, rather than being sent to the browser as plaintext. If you're really, really, really paranoid, you can add a file to the includes directory, called, say rootpassword_backdoor.php, which, when accessed will add the remote IP address to a blacklist, which other scripts consult, and if they find it matches any sites requesting them, they ignore. My 2 bits. -- AdamT "Justify my text? I'm sorry, but it has no excuse." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
