Re: secret data for php pages
On Wed, Jun 07, 2000 at 08:23:18PM +0200, Robert Varga wrote:
> > Store the mysql connection information in a PHP file in the webspace. I
> > often create a file db_config.php3 and it looks like this:
> >
> > <?
> > $dbhost = "localhost";
> > $dbuser = "someuser";
> > $dbpasswd = "somepassword";
> > mysql_connect ($dbhost, $dbuser, $dbpasswd) or
> > die("Unable to connect to mysql server ($dbhost) ...");
> > ?>
> >
>
>
> The problem is that anyone who can put up a php page can download every
> php page _source_ there is on the webserver (see my initial post).
> Therefore the password is retrievable this way.
Nor would the above script be persistent no? I don't do any PHP.
What we do is generate an initial connection to db when server starts
up as root. The server then changes uid/gid to nobody:nogroup. Now
that is with WN. Hardly stock debian setup. ;^) Nor do we let users
onto the machines with that setup; it's staff only. Period.
As an alternative, you might be able to set server id read only depending
on how much updating and run the updates suid, etc....
cfm
--
Christopher F. Miller, Publisher cfm@maine.com
MaineStreet Communications, Inc 208 Portland Road, Gray, ME 04039
1.207.657.5078 http://www.maine.com/
Database publishing, e-commerce, office/internet integration, Debian linux.
Reply to: