Re: MySQL password file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Monday 18 July 2005 18:53, Lawrence Kennon wrote:
> In my current hosting situation I don't have the ability to store my
> file that contains MySQL userids/passwords in a subdirectory that is
> not under the server root. In order to protect it from being included
> from a foreign host I thought up this scheme of using the php_uname
> function to check that it is running on the correct host. Does this
> look reasonably secure? I am not hosting any kind of store, or terribly
> sensitive data - it will only be a bulletin board.

If by "foreign host" you mean a remote (ie over the network) host then 
there is nothing for you to worry about (if your webserver is configured 
correctly -- see below). When using include() on a remote file you are 
only including the output of that file AFTER it has been processed by 
php. Thus in the case of the example below where you're only defining a 
bunch of constants there is no output and thus nothing to "include". 

>     define ('DB_USER', 'username');
>     define ('DB_PASSWORD', 'password');
>     define ('DB_HOST', 'localhost');
>     define ('DB_NAME', 'dbname');

**Beware** if you're using a non-standard filename extension for your 
include files, eg .inc, and have not configured your webserver to process 
these using php then then it *is* possible to include and use these 
remotely. You can easily check this by entering the URL of the include 
file into a browser and then "view source", what you see is what will be 
included by a "foreign host".

What you should be more concerned about if you're on a shared host is that 
there is a good possibility that your co-hosts are able to access your 
files anyway.

-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux