[snip] pablo... i fail to see how your suggestion is much more secure than placing the user/passwd information in a file that's outside the web access space, and then including the file.
in either case, the user wouldn't be able to read the include file. [/snip] Greeting, Bruce. On a dedicated server there wouldn't be much difference. However if the site in question were on a shared host (which is usually the case) there would be a huge difference. On shared hosts since files to be included need to be readable by the user the server runs as their permissions must be set to: -rw-r--r-- And since every one else who has a site on the same server must also have files to be included set to be readable by the server user, one could easily write a trolling script to traverse the directories of other users on the site and grab whatever info they needed. The shared host I use for my personal site used to have this problem until I made them aware of it. In less than two minutes I was able to find several database usernames and passwords. They've since made changes to eliminate this problem. All that needs to be done is secure up the directory permissions and the problem goes away. By setting the file readable only by root this problem is completely eliminated. Unless a hacker has the root password, they will not be able to compromise the information in this file. This is how I understand it, at least. If Chris reads this perhaps he can confirm this for me? Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
