I have also read that pdf document and I have found another interesting advice.
The author says that a good way of hiding the username/password is to put a file that exports 2 environment variables in a directory that can be read only by the root, then include a call to that file in httpd.conf in order to let the web server to have access to those variables. Well, I don't really understand why this is so secure. I understand that the web server is run by root, which sees that file and exports the variables, then another user without many priviledges runs the child process of the web server, but if there are more than one user that run PHP files or files made in other languages on that server, they will also be able to see those environment variables. Did I understand correctly? Teddy ----- Original Message ----- From: "Chris Shiflett" <[EMAIL PROTECTED]> To: "Burhan Khalid" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, August 15, 2004 4:05 PM Subject: Re: [PHP] PHP Security Workbook > --- Burhan Khalid <[EMAIL PROTECTED]> wrote: > > Most of the stuff was common sense to me (and I was glad I > > was doing those things unconsciously). > > That's good to hear. :-) > > Most of the people that have heard me give this talk (which is a few > hundred now) have realized several vulnerabilities in their current > applications, bad development habits, etc. I actually get tired of giving > the same (or very similar) talks, but I'll keep giving this one as long as > it keeps surprising a lot of the audience. The fewer excuses we give > people to equate PHP with poor security, the better off we'll all be. > > > However, I do have issue with one paragraph: > > > > Page 29, > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
