At 10:35 AM -0700 6/6/01, Kenneth Kopelson wrote:
>Actually you are only exposed if you have not set up Apache to run
>with virtual hosts. It is not difficult to configure Apache so that
>a person can only see the scripts that are in his/her directory, and
>is prevented from seeing or modifying the scripts in other peoples
>directories. Also, it is wise to place your DB passwords in a
>separate small file, and then include the file in all your scripts.
>You can place the password file in a directory that doesn't have any
>accessibility from anyone on the web. Let's say we have a password
>file called "dbpass.inc", and we place it in a directory called
>"/var/protected" off the root. Only the webserver is set to have
>permission to access this directory. The password file should look
>something like this:
>
><?php
>username="username";
>password="password";
>?>
>
>Then in all your scripts include the following line:
>
>include ('/var/protected/dbpass.inc);
Except that all scripts run by Apache run with the same file system access
privileges (namely, the privileges of the account under which Apache is
set to run). So all scripts run by a given instance of the server have
equivalent access privileges. If you and I have scripts run by that server,
my scripts can read yours. I don't see that virtual hosts have much to do
with it. (Unless you're talking about Apache 2.xx, which will solve this
problem by allowing different virtual hosts to be associated with distinct
user IDs.)
>
>-Ken
>
>At 08:02 PM 6/5/01 -0500, Paul DuBois wrote:
>>At 10:37 PM +0100 6/5/01, Jorge Oliveira wrote:
>>>Hi again,
>>>
>>>You are right, your username and password will have to be on every PHP
>>>script that needs to use database.
>>>
>>>However, you don't have to be afraid because nobody can access the source of
>>>your PHP scripts - unless they are a good hacker!
>>
>>Actually, anyone else on the Web server host that has permission to
>>install scripts for the Web server can access the source.
>>
>>I couldn't tell from the original message whether the Web server is
>>shared with other people or not, but if you don't have your own
>>server, you're exposed.
>>
>>>
>>>I think you should pay a visit to http://www.php.net to understand how PHP
>>>works. Start with the basics and you will see that is reallY VERY simple.
>>>
>>>Be cool,
>>>
>>>
>>>Jorge Oliveira
>>>[EMAIL PROTECTED]
>>>
>>>----------------------------------------
>>>© webfroggie.com - Recursos Online!
>>>web: http://www.webfroggie.com
>>>wap: http://www.webfroggie.com
>>
>>
--
Paul DuBois, [EMAIL PROTECTED]
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
