[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secret data for php pages

On Wed, 7 Jun 2000, Fraser Campbell wrote:

> Robert Varga wrote:
> > What I need is a way to provide separate mysql databases to all
> > virtualhosts and webserver users, without a possibility for them to access
> > each other's databases.
> Create a unique database for each site.  Grant access to it from localhost
> (and others if necessary) to a unique user.
> GRANT ALL ON somedatabase.* TO someuser@localhost IDENTIFIED BY
> 'somepassword';
> Adjust permissions as necessary of course ...
> Store the mysql connection information in a PHP file in the webspace.  I
> often create a file db_config.php3 and it looks like this:
> <?
>   $dbhost   = "localhost";
>   $dbuser   = "someuser";
>   $dbpasswd = "somepassword";
>   mysql_connect ($dbhost, $dbuser, $dbpasswd) or
>     die("Unable to connect to mysql server ($dbhost) ...");
> ?>
> Include that file at the beginning of every PHP script and you know that
> you have a mysql connection available for use automatically.  Storing
> within the webspace may not be ideal but if someone tries to access the
> file directly through a browser the script is interpretted anyway and the
> data isn't accessible (they will get a "document contains no data" error).
> Make sure users cannot move up the "directory tree" when they login by
> ftp.  "DefaultRoot ~" in proftpd.conf will take care of that.  Other FTP
> servers should also have options for this.

The problem is that anyone who can put up a php page can download every
php page _source_ there is on the webserver (see my initial post).
Therefore the password is retrievable this way.


Robert Varga

Reply to: