List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:June 6 2001 9:28pm
Subject:RE: Need help on mysql/php
View as plain text  
At 10:35 AM -0700 6/6/01, Kenneth Kopelson wrote:
>Actually you are only exposed if you have not set up Apache to run 
>with virtual hosts.  It is not difficult to configure Apache so that 
>a person can only see the scripts that are in his/her directory, and 
>is prevented from seeing or modifying the scripts in other peoples 
>directories.  Also, it is wise to place your DB passwords in a 
>separate small file, and then include the file in all your scripts. 
>You can place the password file in a directory that doesn't have any 
>accessibility from anyone on the web.  Let's say we have a password 
>file called "dbpass.inc", and we place it in a directory called 
>"/var/protected" off the root.  Only the webserver is set to have 
>permission to access this directory.  The password file should look 
>something like this:
>
><?php
>username="username";
>password="password";
>?>
>
>Then in all your scripts include the following line:
>
>include ('/var/protected/dbpass.inc);

Except that all scripts run by Apache run with the same file system access
privileges (namely, the privileges of the account under which Apache is
set to run).  So all scripts run by a given instance of the server have
equivalent access privileges.  If you and I have scripts run by that server,
my scripts can read yours.  I don't see that virtual hosts have much to do
with it.  (Unless you're talking about Apache 2.xx, which will solve this
problem by allowing different virtual hosts to be associated with distinct
user IDs.)

>
>-Ken
>
>At 08:02 PM 6/5/01 -0500, Paul DuBois wrote:
>>At 10:37 PM +0100 6/5/01, Jorge Oliveira wrote:
>>>Hi again,
>>>
>>>You are right, your username and password will have to be on every PHP
>>>script that needs to use database.
>>>
>>>However, you don't have to be afraid because nobody can access the source of
>>>your PHP scripts - unless they are a good hacker!
>>
>>Actually, anyone else on the Web server host that has permission to
>>install scripts for the Web server can access the source.
>>
>>I couldn't tell from the original message whether the Web server is
>>shared with other people or not, but if you don't have your own
>>server, you're exposed.
>>
>>>
>>>I think you should pay a visit to http://www.php.net to understand how PHP
>>>works. Start with the basics and you will see that is reallY VERY simple.
>>>
>>>Be cool,
>>>
>>>
>>>Jorge Oliveira
>>>admin@stripped
>>>
>>>----------------------------------------
>>>© webfroggie.com - Recursos Online!
>>>web: http://www.webfroggie.com
>>>wap: http://www.webfroggie.com
>>
>>


-- 
Paul DuBois, paul@stripped
Thread
Need help on mysql/phpEd Peddycoart5 Jun
  • RE: Need help on mysql/phpJorge Oliveira5 Jun
    • RE: Need help on mysql/phpEd Peddycoart5 Jun
      • RE: Need help on mysql/phpJorge Oliveira5 Jun
        • RE: Need help on mysql/phpPaul DuBois6 Jun
          • RE: Need help on mysql/phpEd Peddycoart6 Jun
            • RE: Need help on mysql/phpPaul DuBois6 Jun
          • RE: Need help on mysql/phpKenneth Kopelson6 Jun
            • RE: Need help on mysql/phpPaul DuBois6 Jun
        • RE: Need help on mysql/phpSommai Fongnamthip6 Jun
      • RE: Need help on mysql/phpDon Read6 Jun
        • RE: Need help on mysql/phpPaul DuBois6 Jun
        • RE: Need help on mysql/phpNeil Zanella6 Jun
  • Re: Need help on mysql/phpB. van Ouwerkerk5 Jun
  • Re: Need help on mysql/phpOlexandr Vynnychenko5 Jun
RE: Need help on mysql/phpJorge Oliveira6 Jun
  • RE: Need help on mysql/phpEd Peddycoart6 Jun
RE: Need help on mysql/phpIan Ford7 Jun
  • RE: Need help on mysql/phpNeil Zanella7 Jun
  • RE: Need help on mysql/phpAdrian D'Costa7 Jun
    • RE: Need help on mysql/phpPaul DuBois7 Jun