On Jan 11, 2008 9:33 AM, Bipin Upadhyay <muxical.geek@xxxxxxxxx> wrote: > Lucas Prado Melo wrote: > > Hello, > > Some php applications store database passwords into files which can be > > read by the user www-data. > Why not keep them out of the web tree and inform the application > regarding the same. I am sure almost all good applications would provide > a simple way for doing it. > > So, a malicious user which can write php scripts could read those passwords. > > What should I do to prevent users from viewing those passwords? > I am not sure I understand this. Do you mean the attacker would upload > scripts and execute them to read th config files? If yes then that's a > different problem altogether. Yes, I mean so. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
