Re: secret data for php pages
On Wed, Jun 07, 2000 at 08:23:18PM +0200, Robert Varga wrote:
> > Store the mysql connection information in a PHP file in the webspace. I
> > often create a file db_config.php3 and it looks like this:
> > <?
> > $dbhost = "localhost";
> > $dbuser = "someuser";
> > $dbpasswd = "somepassword";
> > mysql_connect ($dbhost, $dbuser, $dbpasswd) or
> > die("Unable to connect to mysql server ($dbhost) ...");
> > ?>
> The problem is that anyone who can put up a php page can download every
> php page _source_ there is on the webserver (see my initial post).
> Therefore the password is retrievable this way.
Nor would the above script be persistent no? I don't do any PHP.
What we do is generate an initial connection to db when server starts
up as root. The server then changes uid/gid to nobody:nogroup. Now
that is with WN. Hardly stock debian setup. ;^) Nor do we let users
onto the machines with that setup; it's staff only. Period.
As an alternative, you might be able to set server id read only depending
on how much updating and run the updates suid, etc....
Christopher F. Miller, Publisher firstname.lastname@example.org
MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
Database publishing, e-commerce, office/internet integration, Debian linux.