[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secret data for php pages

On Wed, 7 Jun 2000, Robert Varga wrote:

> On Wed, 7 Jun 2000, Fraser Campbell wrote:
> > Robert Varga wrote:
> > 
> > > What I need is a way to provide separate mysql databases to all
> > > virtualhosts and webserver users, without a possibility for them to access
> > > each other's databases.
> > 
> > Create a unique database for each site.  Grant access to it from localhost
> > (and others if necessary) to a unique user.

> The problem is that anyone who can put up a php page can download every
> php page _source_ there is on the webserver (see my initial post).
> Therefore the password is retrievable this way.

I set a global variables in /etc/php3/apache/php3.ini
safe_mode		= on
auto_prepend_file       = www-data.php3   ; www-data owned empty file for
                                          ; security

The empty www-data.php3 is owned by 'www-data'. All *.php3 files served
must be owned by www-data to be served unless I override the prepend in
the Apache *.conf files. This config prevents just anybody putting up a
*.php3 file and having it do anything.

In /etc/apache/*.conf, I put values for
php3_include_path         PATH
php3_auto_prepend_file	  FILE

in appropriate Directory, Location and VirtualHost directive sections.

PHP4 has a different format
php_value include_path 		PATH
php_value auto_prepend_file	FILE

MySql permissions can control who can acccess what database for users
logged in.

Via the Web, the URL will determine which file is prepended, setting the
web based authentication.  The auto_prepend_file's should be located in a
non-servable directory as it will contains the passwords you assign.

Also, have a look at the 'phplib' deb package for ideas.

Gerard MacNeil, P. Eng                          macneil@supercity.ns.ca
System Administrator
Supercity Internet Services                     http://www.supercity.ns.ca

Reply to: