On Wed, 6 Jun 2001, Ian Ford wrote:
> Name your config file config.inc and if any of the below situations
> happen your password and username will not show up in plain text for the
> casual browser.
> (EXAMPLE:
>
> CONFIG.INC
> <?
> $DBname = 'test';
> $DBuser = 'imatest';
> $DBpass = 'Whatever';
> $DBhost = 'localhost';
> ?>
>
> INDEX.PHP
> <?
> require("config.inc");
> $conn = mysql_connect($DBhost,$DBuser,$DBpass);
> mysql_select_db($DBname);
> ?>
>
> END EXAMPLE)
> You can place the config.inc any where you want. My preference is in a
> includes folder...
Actually I tried this out sometime ago and found that it appears as a
plain text file. This I believe is because the webserver know that .php
or .php3 should be treated as a php file and other in which ever way it
can display.
>
> -----Original Message-----
> From: Neil Zanella [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 06, 2001 12:09 PM
> To: Don Read
> Cc: Ed Peddycoart; Mysql@Lists. Mysql. Com; Jorge Oliveira
> Subject: RE: Need help on mysql/php
>
>
>
> On Tue, 5 Jun 2001, Don Read wrote:
>
> > Better yet, put the file outside the $DOCUMENT_ROOT, in case your
> server is
> > poorly configured.
> >
> > include("$DOCUMENT_ROOT/../config.php");
>
> This is a very good idea. One day if the system administrator decides to
> back up all the user data and upgrade the web server and forgets to
> include support for PHP then all the PHP files become readable as plain
> text and casual web surfers could sniff your password. Another scenario
> where this could happen is if there are two web servers and your home
> directory is mounted on both via NFS or AFS and you may not be aware
> that
> the other web server does not have PHP support.
>
> If you are serving from /home/httpd/html then store your database access
> information including passwords in some directory like
> /home/httpd/secret
> and set the right ownerships for that directory and files therein. It is
> also a good idea to control extraneous access to the database by
> firewalling your site.
>
> Neil
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
> <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php