On 4 Dec 2011, at 16:59, Andreas wrote: > Am 03.12.2011 23:54, schrieb Tamara Temple: >> If you give every application user a unique set of database access permissions, that means that any one of those users can access your data base WITHOUT going through your application if they manage to get access to your data base server. Is that clearer? Your application's users should not be able to access the data base directly. The application should be the thing to manage the data base. You may want to have different data base credentials for different user *roles* (plain, privileged, admin roles, etc), but to give *every* application individual data base unique credentials is not only unnecessary, but also a security risk. > > OK, then where or how is the most advisable place to store the application's credentials. > > One way is to have it as constants in an seperate php-file somewhere within the doc-root so php can easily access it as include. > An application that is to be put on an outside hoster's server has to do it like this, I guess. > Mine will stay on a server within the LAN for now, so I've got root access. > > This way the web-server could display it in the probaply unlikely case someone guesses the url to it AND the php-interpreter fails to process it first. > > More likely a local user could read it, though. > > So how would I store it and restrict access to it? Put it outside the document root so it can't be accessed directly. The only chance of it being displayed to a user then is via a really bad mis-configuration of the web server, or an error in the code, neither of which you can reasonably be expected to protect against (outside of effective testing). -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php