On Wed, 8 Dec 1999, Shahed Ali wrote:
> I had the same problem. My friend hosted with indialinks or some other Co in
> Goregoun/ Malad I think, and i bought that to their notice. But that guy
> simply
> ignored me. As far as i know, you need to have a didicated server for your
> work.
> I dont know of any other way, except ofcourse, you enter the password as
> part
> of a http POST. But then all your end users will also have to know the
> passwd.
That is a very very bad idea. The reason: anyone listening on the line
would get the password, because it is sent as plain text over the net.
The password should be stored only on the server.
> From: ranjeet walunj <[EMAIL PROTECTED]>
>
> >now my problem is this .php3/.phtml file is world readable
> >evn if the directory in which it is placed is not having r/w access on
> >webserver
> >but ne 1 who is having telnet access (in case of webserver the other guys
> >who r hosting on the same server)
> >can copy the file without getting ne problem...thus he can get the
> database
> >passwd (which is very critical)
> >
> >will ne 1 working on securing weserver help me out plz....
> >or is there ne diff way of defining username+passwd in php script?
> >can external exec file EXPORT these variables ?how to get them in php
> script
I am not a php3 programmer, but this seems to be a basic security problem,
and is similar to the problem with Perl programs. The only way to protect
your code it to delete it (from the Perl FAQ). I do not think that that
is a viable option for most of us. Another option maybe to compile your
program to bytecode. I do not know if this is possible in PHP, but it is
worth a try.
While this will not guarantee security (any *competent* programmer will be
able to reverse engineer the code), it will however deter the casual
password sniffer / inexperienced cracker (not hacker - hackers don't
crack - read the jargon file).
I will have a look around and see if anything comes up.
HTH
Philip
To subscribe / unsubscribe goto the site www.ilug-bom.org ., click on the mailing list
button and fill the appropriate information
and submit. For any other queries contact the ML maintener
