"Robert Dodier" robert_dodier AT yahoo.com wrote on 12-21-2003 > Hello, > > I am experimenting with a wiki system (PhpWiki) which uses > a MySQL database to store pages. It seems like a great system. > > The MySQL connection string is specified in a PHP script > in the form "mysql://FOO:FOOPASSWD@xxxxxxxxxxxxxx/baz". > > If I'm not mistaken the script has to be world-readable. > But then, can't any other user (logged in to the host) > just read the password? > > I share the host with other users, and the script has to > be in my home directory, so I don't think I can guarantee > that no other user can see it. > > Thanks for any advice, > > Robert Dodier I recently had the same problem on a shared host. The only solution I could think of was to have the server admin set an environment variable in an httpd.conf include file owned by root (chmod 600) [1]. EXAMPLE (mysql_pw.conf): SetEnv mysql_pw password SetEnv mysql_user username In PHP the variables then should end up in the $_SERVER array ... EXAMPLE (PHP): <?php var_dump($_SERVER['mysql_pw'], $_SERVER['mysql_user']); ?> If this is impossible I can't think of another secure way on shared host systems, since other hosts usually are able to read your files. Maybe (if supported) one could SetEnv in .htaccess, so an attacker would at least have to glance into the PHP source code to find out where the password is stored. Still most people have it inside an include file and it works, I think. [1] http://httpd.apache.org/docs/1.3/mod/mod_env.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
