Re: secret data for php pages
On Wed, 7 Jun 2000, Fraser Campbell wrote:
> Robert Varga wrote:
> > What I need is a way to provide separate mysql databases to all
> > virtualhosts and webserver users, without a possibility for them to access
> > each other's databases.
> Create a unique database for each site. Grant access to it from localhost
> (and others if necessary) to a unique user.
> GRANT ALL ON somedatabase.* TO someuser@localhost IDENTIFIED BY
> Adjust permissions as necessary of course ...
> Store the mysql connection information in a PHP file in the webspace. I
> often create a file db_config.php3 and it looks like this:
> $dbhost = "localhost";
> $dbuser = "someuser";
> $dbpasswd = "somepassword";
> mysql_connect ($dbhost, $dbuser, $dbpasswd) or
> die("Unable to connect to mysql server ($dbhost) ...");
> Include that file at the beginning of every PHP script and you know that
> you have a mysql connection available for use automatically. Storing
> within the webspace may not be ideal but if someone tries to access the
> file directly through a browser the script is interpretted anyway and the
> data isn't accessible (they will get a "document contains no data" error).
> Make sure users cannot move up the "directory tree" when they login by
> ftp. "DefaultRoot ~" in proftpd.conf will take care of that. Other FTP
> servers should also have options for this.
The problem is that anyone who can put up a php page can download every
php page _source_ there is on the webserver (see my initial post).
Therefore the password is retrievable this way.