On Wed, Jun 07, 2000 at 08:23:18PM +0200, Robert Varga wrote: > > Store the mysql connection information in a PHP file in the webspace. I > > often create a file db_config.php3 and it looks like this: > > > > <? > > $dbhost = "localhost"; > > $dbuser = "someuser"; > > $dbpasswd = "somepassword"; > > mysql_connect ($dbhost, $dbuser, $dbpasswd) or > > die("Unable to connect to mysql server ($dbhost) ..."); > > ?> > > > > > The problem is that anyone who can put up a php page can download every > php page _source_ there is on the webserver (see my initial post). > Therefore the password is retrievable this way.
Nor would the above script be persistent no? I don't do any PHP. What we do is generate an initial connection to db when server starts up as root. The server then changes uid/gid to nobody:nogroup. Now that is with WN. Hardly stock debian setup. ;^) Nor do we let users onto the machines with that setup; it's staff only. Period. As an alternative, you might be able to set server id read only depending on how much updating and run the updates suid, etc.... cfm -- Christopher F. Miller, Publisher [EMAIL PROTECTED] MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039 1.207.657.5078 http://www.maine.com/ Database publishing, e-commerce, office/internet integration, Debian linux.