On Mon, 7 Jul 2003 21:01:40 +0100 (BST), Graham Rule wrote: >The only place that they are >available is to PHP scripts run in the relevant directory.
Which means that if a hacker finds a cross script hack in one of those directories (ie, if you have a security hole in one of your php scripts), then it would be possible to access mysql.default_user and mysql.default_password via ini_get()... wouldn't it? And yes, I understand you could turn on safe_mode or turn off the ini_get() function. I think the answer is that there isn't a 100% secure way to store user_id / passwords that can be reconstituted. Unfortunately, I don't know what the most secure way to do this would be. Your way MAY be the best that we can get, but it kinda give me the heebie jeebies. :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
