On Tue, June 12, 2007 7:47 am, Stut wrote: > Dave Goodchild wrote: >> Unless some server config error causes that stuff to be output on >> the page? >> I tend to put such functions in a .inc file and amend the .htaccess >> to >> prevent download. > > Unless some server config error causes it to ignore .htaccess. > > The basic rule when it comes to securing this stuff is to stick it > outside the web root. That way only a monumentally stupid server admin > or developer can make it possible for the average web user to get at > it. > > Oh, hang on...! Or, on a shared host, any other PHP user can write a script to fread the file and dump it out, unless your webhost has gone to extra lengths to set up different username/groups for every client, and set up separate Apache pools for each and... This gets quite expensive and drastically affects the number of clients one can cram into a single box, so it is rarely done this way in Real Life. This is not to say that you should never ever do this on a shared host; only that you ARE risking the password and everything in the DB to any other client on the same host, and you should Architect your project accordingly. E.g., using the same password as for your bank account is probably a Bad Idea :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
