Michael A. Peters wrote: > > Another thing the common CMS tools frequently do - they want a > configuration file that the web server has write permission to that is > parsed as php by almost every page the app displays. Big mistake - if > you want a web interface to change settings, store the settings in a > database table, don't have the web app write them to a file that other > pages include. > > Finally, another thing they often do is to have a directory the web > server has write permission to in the web root. Big mistake, you don't > want apache to have write permission to any directories (or files) that > it serves, you want to keep those outside the web root and use php to > grab what needs to grabbed (IE a php wrapper to fetch images that users > have uploaded). > > Have fun, but if looking at other apps to figure out how to do things, > just remember that many of the webapps out there are not examples of > good code and remember that most php books are not written by security > gurus (I'm not a security guru, and even I've found insecure practices > in several books). > > Unfortunately a lot of jerks exist who want to own your server and use > it to spam the world (or attack other servers). Some good advice, however I have never been able to retrieve my db type, db name, db user name and db password from the database without first using these to connect to the database ;-) -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
