On Thu, January 10, 2008 9:15 pm, Lucas Prado Melo wrote: > Some php applications store database passwords into files which can be > read by the user www-data. > So, a malicious user which can write php scripts could read those > passwords. > What should I do to prevent users from viewing those passwords? Get a dedicated box and don't have any untrusted users on it. There really is no other solution: If PHP can read the password to use it, then PHP can read the password to use it, and the other user that can run PHP can do that. Actually, somebody COULD set up a shared server with enough un-shared resources, including a different set of HTTP children for each user, and make this work, but it's a lot easier to find an affordable dedicated server host than to dig into the details of every webhost package. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
