Posted by Jason Wong on 07/20/05 00:35

On Monday 18 July 2005 18:53, Lawrence Kennon wrote:
> In my current hosting situation I don't have the ability to store my
> file that contains MySQL userids/passwords in a subdirectory that is
> not under the server root. In order to protect it from being included
> from a foreign host I thought up this scheme of using the php_uname
> function to check that it is running on the correct host. Does this
> look reasonably secure? I am not hosting any kind of store, or terribly
> sensitive data - it will only be a bulletin board.

If by "foreign host" you mean a remote (ie over the network) host then
there is nothing for you to worry about (if your webserver is configured
correctly -- see below). When using include() on a remote file you are
only including the output of that file AFTER it has been processed by
php. Thus in the case of the example below where you're only defining a
bunch of constants there is no output and thus nothing to "include".

> define ('DB_USER', 'username');
> define ('DB_PASSWORD', 'password');
> define ('DB_HOST', 'localhost');
> define ('DB_NAME', 'dbname');

**Beware** if you're using a non-standard filename extension for your
include files, eg .inc, and have not configured your webserver to process
these using php then then it *is* possible to include and use these
remotely. You can easily check this by entering the URL of the include
file into a browser and then "view source", what you see is what will be
included by a "foreign host".

What you should be more concerned about if you're on a shared host is that
there is a good possibility that your co-hosts are able to access your
files anyway.

--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts

• Next in forum: Re: What is this?
• Prev in forum: Re: [PHP] "Only variable references should be returned by reference"
• Thread view: Re: [PHP] MySQL password file

[Reply to this message]