Re: [PHP] how to hide dbconnect file if its in published directory?

Tue, 10 Jul 2001 11:39:31 -0700 

Hi Thomas!
On Tue, 10 Jul 2001, Thomas David Kehoe wrote:
> 
>     include ('http://www.friendshipcenter.com/Objects/swordfish.inc');
>     echo "Your password is ", PASSWORD;
> 
> it works, i.e., prints "Your password is swordfish."
> 
> When I use the following lines
> 
>     include ('http://www.friendshipcenter.com/Objects/swordfish.php');
>     echo "Your password is ", PASSWORD;
> 
> it doesn't work, i.e., prints "Your password is PASSWORD."
> 
> I tried putting swordfish.inc in my "cgi-bin" directory, which is outside my
> "www" directory.  I can't figure out what pathname to call it with.  I.e.,
> 
>     include ('cgi-bin/swordfish.inc');
wai' wai' waitasecond!
gosh :)
you're including your inc file via web just cause you couldn't figure the path
via file system? Well, this way anybody can read it.

> I rent server space from phpwebhosting.com, so I can't change the PHP
> settings.
I'm about to deploy a B2B there too, and I can give you a hint on the path.

your home is ~<account> == $HOME
your web is under $HOME/www/
like starting w/ $ are shell commands

now, create a dir inc like that:
$ mkdir ~/phpinc

put your password file there
$ echo "<?php define('PASSWORD','@#complicated');" > ~/phpinc/password.php

move to ~/www/
$ cd ~/www
create a file named test.php by editing it with vim or something

say:
<?php
define ('PHPINC',dirname(__FILE__).'/../phpinc');

include (PHPINC.'/password.php');
echo "Password is:" , PASSWORD;

->end edit<-

The fist line defines where is the directory with PHP files that are out
of any visitor sight. Nobody should reach them via web unless you do something
silly in your PHP programs (i.e. trust user supplied data)

Now request test.php via your browser. It should work.
$ lynx http://www.yourdomain.com/test.php

Nobody can read your password file, cause it's outside web root (in this case
under $HOME/phpinc)

cheers,

-- teodor

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to