[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secret data for php pages

On Wed, Jun 07, 2000 at 08:23:18PM +0200, Robert Varga wrote:

> > Store the mysql connection information in a PHP file in the webspace.  I
> > often create a file db_config.php3 and it looks like this:
> > 
> > <?
> >   $dbhost   = "localhost";
> >   $dbuser   = "someuser";
> >   $dbpasswd = "somepassword";
> >   mysql_connect ($dbhost, $dbuser, $dbpasswd) or
> >     die("Unable to connect to mysql server ($dbhost) ...");
> > ?>
> > 
> The problem is that anyone who can put up a php page can download every
> php page _source_ there is on the webserver (see my initial post).
> Therefore the password is retrievable this way.

Nor would the above script be persistent no?  I don't do any PHP.

What we do is generate an initial connection to db when server starts
up as root.  The server then changes uid/gid to nobody:nogroup.  Now
that is with WN.  Hardly stock debian setup.  ;^)  Nor do we let users
onto the machines with that setup; it's staff only.  Period.

As an alternative, you might be able to set server id read only depending
on how much updating and run the updates suid, etc....



Christopher F. Miller, Publisher                             cfm@maine.com
MaineStreet Communications, Inc         208 Portland Road, Gray, ME  04039
1.207.657.5078                                       http://www.maine.com/
Database publishing, e-commerce, office/internet integration, Debian linux.

Reply to: