Hi All,
Also a good advice is to restrict the access to the files where you
include your login/pass. Give permissions to only the PHP user, I mean
the user that runs the php process (in unix/linux make a ps axu and look
at the user column). Then change the file permissions to just that user
(unix chown and chmod, more info 'man chmod' and 'man chown'). If you
are using W9x/ME you're out of luck.
Hope this helps.
Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)
BRACK wrote:
>
> I have tested again what I said yesterday and found that if I have
> problems in PHP support in Apache then all my information
> (username and password) are seing simly on the screen, so it's not
> about dead SQL server but PHP.
>
> However, I went through all docs that I have on this topic and found
> that the only solution of this is to put included "connect.php/inc"
> outside of htdocs directory and configure your php.ini such a way
> that one outsider directory would be accepted and only by php call.
>
> Hope I didn't mess up this time so you are able to understand what
> I mean... =))
>
> Thank you for the help anyway, just be aware of this PHP prob
> when you pick up provider.
>
> Youri
> On 8 Aug 2001, at 19:33, Attila Strauss wrote:
>
> > hi,
> >
> > there are 2 ways.
> >
> > 1. you hardcore the user/password in the php.ini file.
> > 2. u do a simply error checking like :
> >
> > <?php
> > $connect = mysql_connect($host, $user, $pass);
> > if(!$connect)
> > {
> > print "connection failed";
> > }
> >
> > ?>
> >
> > of course you could also do like kinda header("Location: http://host";);
>instead of print "connection failed".
> >
> > i hope i could help you.
> >
> > best regards
> > attila strauss
> >
> >
> >
> >
> > > Hey Jouri,
> > >
> > >
> > > I don't agree with this one. I tested it out on my
> > > localhost and got the two error messages I told you I
> > > was going to get:
> > >
> > > Warning: Unknown MySQL Server Host...
> > > Warning: MySQL Connection Failed...
> > >
> > > No usernames/passwords. I have to say however that I
> > > always include my connect.php file. Maybe that's a
> > > secure way to connect without anyone seeing your
> > > password in case of sqlserver problems.
> > >
> > >
> > > Greetz,
> > > Bjorn Van Simaeys
> > > www.bvsenterprises.com
> > >
> > >
> > >
> > >
> > > --- BRACK <[EMAIL PROTECTED]> wrote:
> > > > If you have Apache and MySQL servers make this
> > > > experiment -
> > > > start Apache but "forget" to start SQL and go to
> > > > your site
> > > > http://localhost/... you will see yourself all the
> > > > information on the
> > > > screen.
> > > >
> > > > Youri
> > > >
> > > > On 7 Aug 2001, at 12:53, Ryan Christensen wrote:
> > > >
> > > > > I'm curious as to how the "hacker" would see all
> > > > this information (the
> > > > > username.. password, etc..) just by going to a
> > > > site where the SQL backend
> > > > > was down?
> > > > >
> > > > > Ryan
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: BRACK [mailto:[EMAIL PROTECTED]]
> > > > > > Sent: Tuesday, August 07, 2001 12:36 PM
> > > > > > To: [EMAIL PROTECTED]
> > > > > > Subject: [PHP] MySQL connection
> > > > > >
> > > > > >
> > > > > > I just wanned to bring the issue of security of
> > > > MySQL connection:
> > > > > >
> > > > > > Let us imagine that SQL server was down for some
> > > > hours (of
> > > > > > course without us knowing it) and at the same
> > > > hours our SQL site
> > > > > > was visited by some kind of hacker, he can s
> > ee
> > > > on his screen all
> > > > > > our SQL connection info like username,
> > > > password, and database
> > > > > > name. You may hide this information in different
> > > > file than the file
> > > > > > that your users open then the hacker will see
> > > > something like
> > > > > > "include("connect.inc");" or
> > > > "require("connect.inc");" (of course IF
> > > > > > server is down). So you may only imagine the
> > > > consequences of
> > > > > > this visit of the hacker. What can we do to
> > > > protect our sensitive
> > > > > > information if SQL server is down?
> > > > > >
> > > > > > Youri
> > > > > >
> > > > > > --
> > > > > > PHP General Mailing List (http://www.php.net/)
> > > > > > To unsubscribe, e-mail:
> > > > [EMAIL PROTECTED]
> > > > > > For additional commands, e-mail:
> > > > [EMAIL PROTECTED]
> > > > > > To contact the list administrators, e-mail:
> > > > [EMAIL PROTECTED]
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > PHP General Mailing List (http://www.php.net/)
> > > > To unsubscribe, e-mail:
> > > > [EMAIL PROTECTED]
> > > > For additional commands, e-mail:
> > > > [EMAIL PROTECTED]
> > > > To contact the list administrators, e-mail:
> > > > [EMAIL PROTECTED]
> > > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Make international calls for as low as $.04/minute with Yahoo! Messenger
> > > http://phonecard.yahoo.com/
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> > >
> >
> >
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
