Hi all - I am using php/MySQL on an ISP in which there are other users. Everyone has SSH access and can therefore enter everyone else's directories and read any world-readable files. I have a config.inc file which contains my MySQL username and password. This file is located outside of my web directory (to prevent web browsers from reading it). In addition, my ISP added the user 'www' to my group, enabling me to make config.inc group readable but not user readable. Therefore, none of the other users can SSH into the system and read my username and password. This is great, but there is one more concern: if the user 'www' can read this file, isn't it possible for any other user to write a php script, executable by 'www', that instructs the web server to echo the contents of this file? All they have to know is the directory and name of the file they are looking for. Anyone have suggestions on how to close this security hole? Thanks, Jamie -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
