Re: [PHP-DB] PHP security

Tue, 20 Feb 2001 12:34:22 -0800 

At 01:50 PM 2/20/2001 -0600, you wrote:
>As far as I know, you can not download PHP programs without access to
>download them. Meaning you need an account on the webserver, so they would
>need your account user and pass before they could steal your mysql user and
>pass.

The main issue is that (especially under Unix), the Front Page server 
extensions are notoriously poorly written and in most cases leave massive 
security holes wide open.  Try doing a Google search for "hacking 
frontpage" to see some examples. The real solutions are:

do not host with a provider that supports Front Page
do not use Front Page as your HTML editor

If you do decide to use Front Page as your editor make sure that you do not 
let it (or immediately remove them) the "shadow" directories of _vti_cnf 
(there are others too which I forget) that it likes to include with 
uploads.  As long as you avoid that pitfall and the server does not have 
the server extensions installed you should be safe.

You should also place your sensitive values in a separate file that is 
located in a non-web accessible directory or if you are running under "safe 
mode", in a protected sub-directory.  Under Apache you would just have to 
create a directory called something like "./include" and in it place a 
.htaccess file with the following line:

deny from all

This makes it so that the only way to access the file is via an include 
command within PHP.  This won't save you from local users viewing the file 
but that is a different sack of nuts.

Cheers


-----------------------------------------------------------------------------
Island Net AMT Solutions Group Inc.          Telephone:          250 383-0096
1412 Quadra                                  Toll Free:        1 800 331-3055
Victoria, B.C.                               Fax:                250 383-6698
V8W 2L1                                      E-Mail:    [EMAIL PROTECTED]
Canada                                       WWW:   http://www.islandnet.com/
-----------------------------------------------------------------------------


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to