On Tue, June 12, 2007 7:58 am, Eric Butera wrote: > On 6/12/07, Stut <stuttle@xxxxxxxxx> wrote: >> Dave Goodchild wrote: >> > Unless some server config error causes that stuff to be output on >> the page? >> > I tend to put such functions in a .inc file and amend the >> .htaccess to >> > prevent download. >> >> Unless some server config error causes it to ignore .htaccess. >> >> The basic rule when it comes to securing this stuff is to stick it >> outside the web root. That way only a monumentally stupid server >> admin >> or developer can make it possible for the average web user to get at >> it. >> >> Oh, hang on...! >> >> -Stut >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > > Just to throw this out there, you can put your information in the > Apache config too and get the values from $_SERVER. This way it can > be owned by root. > > See http://ilia.ws/files/quebec_security.pdf slide 59. The downside of that is that something as simple as: <?php phpinfo();?> will dump your password out as part of $_ENV or $_SERVER That's probably NOT a good idea in many environments, but an excellent idea in some. Security cannot be evaluated in isolation. And, of course, many users won't have access to httpd.conf, so that's not an option at all in those environments. One has to look at the Big Picture to make the final decision between: outside web tree in .php (or .inc) file in httpd.conf There are probably other arcane solutions "out there" but probably not very practical for most uses. I really can't recommend to keep it in the webtree with only .htaccess protecting it, personally, though many seem to think that's fine... I guess they never did anything bone-headed like: tar -cvzf export.tar httpdocs and then untar-ed it on another server, forgetting that .htaccess and other "hidden" files wouldn't be caught by tar that way, and then the password was just siting out there for the public to snarf... Until I ran across the images that didn't work because the ForceType in .htaccess wasn't there. So for a good 10 minutes [shudder] my database password was available on the Internet... I'm sure nobody else in the course of history will make this same bone-headed mistake. No. Never. :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
