I am setting up a server on which many users will have apache
virtualhosts (with suexec). I have PHP set up as a module (and CGI).
However, if someone uses PHP for database connections (who doesn't) then
they must have the login info for the DB in a file readable by the user
apache runs as by default. This means that any user on the system could
look at your PHP scripts and get your password and login to the DB and
drop your tables. Am I missing something? Do I have to run CGIs for any
security at all? I know a million people use PHP as a module, and they
don't seem to mind... could someone fill me in on the best direction I
could be going in? This would also be true for mod_perl, mod_python,
etc, right?
Thanks,
Jeff Davis
