On 6/12/07, Richard Lynch <ceo@xxxxxxxxx> wrote:
The downside of that is that something as simple as: <?php phpinfo();?> will dump your password out as part of $_ENV or $_SERVER That's probably NOT a good idea in many environments, but an excellent idea in some. Security cannot be evaluated in isolation. And, of course, many users won't have access to httpd.conf, so that's not an option at all in those environments. One has to look at the Big Picture to make the final decision between: outside web tree in .php (or .inc) file in httpd.conf There are probably other arcane solutions "out there" but probably not very practical for most uses. I really can't recommend to keep it in the webtree with only .htaccess protecting it, personally, though many seem to think that's fine... I guess they never did anything bone-headed like: tar -cvzf export.tar httpdocs and then untar-ed it on another server, forgetting that .htaccess and other "hidden" files wouldn't be caught by tar that way, and then the password was just siting out there for the public to snarf... Until I ran across the images that didn't work because the ForceType in .htaccess wasn't there. So for a good 10 minutes [shudder] my database password was available on the Internet... I'm sure nobody else in the course of history will make this same bone-headed mistake. No. Never. :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?
I figured this wasn't an option for most people, but thought I'd throw it out there. It works great at my company since we own our server to host client sites on. Hopefully nobody has phpinfo just sitting out on a production server. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
