On 6/12/07, Stut <stuttle@xxxxxxxxx> wrote:
Dave Goodchild wrote: > Unless some server config error causes that stuff to be output on the page? > I tend to put such functions in a .inc file and amend the .htaccess to > prevent download. Unless some server config error causes it to ignore .htaccess. The basic rule when it comes to securing this stuff is to stick it outside the web root. That way only a monumentally stupid server admin or developer can make it possible for the average web user to get at it. Oh, hang on...! -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Just to throw this out there, you can put your information in the Apache config too and get the values from $_SERVER. This way it can be owned by root. See http://ilia.ws/files/quebec_security.pdf slide 59. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
