On Mon, 7 Jul 2003 21:01:40 +0100 (BST), Graham Rule wrote:
>The only place that they are
>available is to PHP scripts run in the relevant directory.
Which means that if a hacker finds a cross script hack in one of those
directories (ie, if you have a security hole in one of your php
scripts), t
On Mon, 30 Jun 2003, Peter Janett wrote:
> This issue seems to be a huge issue, and I've been looking for a good
> solution for quite a long time. My concern is that a shell emulating PHP or
> Perl script run as Apache can read or copy ANY PHP script used with PHP as
> an Apache module.
The reaso
ECTED]
(303)828-9882
-Original Message-
From: Derick Rethans [mailto:[EMAIL PROTECTED]
Sent: Monday, June 30, 2003 2:59 PM
To: Wendell Brown
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [PHP] web site security: how to hide login info for
mysql-connection
On Mon, 30 Jun 2003, We
That's where this thread started...
--- Wendell Brown <[EMAIL PROTECTED]> wrote:
> On Mon, 30 Jun 2003 13:50:21 -0600, Peter Janett wrote:
>
> >My concern is that a shell emulating PHP or
> >Perl script run as Apache can read or copy ANY PHP script used
> with PHP as
> >an Apache module.
>
> It
On Mon, 30 Jun 2003 13:50:21 -0600, Peter Janett wrote:
>My concern is that a shell emulating PHP or
>Perl script run as Apache can read or copy ANY PHP script used with PHP as
>an Apache module.
It seems to me like the safest way to handle this would be to create a
function that opens the databa
On Mon, 30 Jun 2003, Wendell Brown wrote:
> On Mon, 30 Jun 2003 13:50:21 -0600, Peter Janett wrote:
>
> >
> > php_value mysql.default_user fred
> > php_value mysql.default_password secret
> > php_value mysql.default_host server.example.com
> >
>
> H what about phpinfo()? It shows
>>
>> php_value mysql.default_user fred
>> php_value mysql.default_password secret
>> php_value mysql.default_host server.example.com
>>
>
>H what about phpinfo()? It shows those settings in the clear.
solution: don't leave stray phpinfo's on a production site. :)
-
On Mon, 30 Jun 2003 13:50:21 -0600, Peter Janett wrote:
>
> php_value mysql.default_user fred
> php_value mysql.default_password secret
> php_value mysql.default_host server.example.com
>
H what about phpinfo()? It shows those settings in the clear.
--
PHP General Mailing List (
om: Mark [mailto:[EMAIL PROTECTED]
Sent: Monday, June 30, 2003 8:34 AM
To: Jaap van Ganswijk; [EMAIL PROTECTED]
Subject: Re: [PHP] web site security: how to hide login info for
mysql-connection
How do you handle storing the login info then? Do you encrypt the
file and decrypt it on the fly? Where wou
e to keep the MySQL
> login data uncoded on the Unix system, because
> other users or the system managers could read it.
> Generally these files have to be readable by Apache
> and therefore other users on the system can often
> also read them.
>
> Greetings,
> Jaap
>
>
> >--
e -----
>From: "anders thoresson" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Sunday, June 29, 2003 4:33 PM
>Subject: Re: [PHP] web site security: how to hide login info for
>mysql-connection
>
>
>> > Be aware that wherever you store t
ot;include_path").":". "/your/path/here/");
then include/require as normal
-- frank
- Original Message -
From: "anders thoresson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, June 29, 2003 4:33 PM
Subject: Re: [PHP] web site securi
Be aware that wherever you store the settings folder, your php.ini should
have that path in it's include_directories setting, and the webserver
must
have read permissions for that file.
I don't have access to php.ini on my ISP's web server. Is there a way for
a user to make their own set ow inclu
Hi,
At the moment I store username, password and database for my MySQL
connections in a file called settings.php to avoid putting them in my php
files direct. On a Linux server, what extra steps can I take to prevent
others from accessing settings.php?
Somewhere, I've read that settings.php sh
14 matches
Mail list logo
