On 03 Oct 2006, at 14:16 , Richard Lynch wrote:
On Tue, October 3, 2006 1:51 pm, Google Kreme wrote:
And yeah, a key is better, but I've not gotten that far.
See, whatever you do in that general vein of thought, your PHP script
ends up needing to get the file.
Well, yes, but at least with a .ht* file apache will never expose the
contents of that file. This is WHY I do it as a separate file with a
require() pointing to it.
A php-readable file outside the webtree at least limits risk to users
on the same machine -- and so machine access provides an
authentication barrier. Not claiming that's insurmountable, mind you,
but it's a real actual barrier of a significantly different nature
than just reading yet another PHP/text file to find the key that reads
the other-other php/text file.
As I understand it then, the .ht* is no less secure because, for all
intents and purposes, it is 'outside' the webtree since Apache will
never display it, and you need some other sort of access to the
machine (ftp, ssh, etc) to access it. As I understand it, you can't
even access .ht* files via webDAV.
Course, I'm still rather new to all of this, so if I'm wrong, flame
away.
--
But just because you've seen me on your TV
Doesn't mean I'm any more enlightened than you
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php