How does one go about securing database access username and password information that's kept in a script's config file?
Most of the PHP and Perl applications floating around Sourceforge, as well as most of the commercially available scripts, store the database access username and password in a config file. This can be called anything, and can be kept either inside or outside the htdocs area on website. It doesn't matter for my example. This file needs to be readable by the process running the web server (typically nobody on Linux shared servers running Apache). Once I know where this file is stored by the application relative to the user's root directory, and it's name, on most if not all the shared server configurations hosting websites around the world, I can simply open the file using the pathname to the file and read and display it, or require it and then display the username and password variables, etc. This of course I'm doing from another user account on the server. In the case of a popular forum script written in PHP, I was able to discover more than one other config file on my server and read it's contents. I notified the owner of the site that I was able to do this, however I had no suggestions for him to protect his information from anyone else who might want to do the same. In a shared server environment where the files must be readable by the webserver process, and there is one web server "user" on the shared server, how can you protect this information? Are you simply screwed? If so, than much of the world is screwed... Any ideas on how to secure this situation? Thanks, -Tim --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
