Posted by Jesper H. on 08/08/06 02:12

On 2006-08-07, Chuck Anderson wrote:
> 1. Is there another way that I can set the include path globally for
> my site? (Adding them to htaccess throws a 500 server error.)

Like this?

php_value include_path "whatever"

If it doesn't work, then a vague part of my memory says that Apaches
AllowOverride directive might be the problem. Unfortunately I don't
remember the minimal setting needed for php_value and such to work. You
would need to contact the admins to have it changed.

> 2. How much security is really gained by moving sensitive include
> files out of the site path (my include files all use the .php
> extension)? Should I even be that concerned about this capability?

The only potential risk I can see is if the admins accidently disable
PHP processing, e.g. while updating some configuration files. So I'd say
it depends on how competent and alert the admins are. Still, even with
good admins, I'd better be safe than sorry.

> 3. Would I gain the same security if I changed my current include
> files (which I would have to put back into the public site path) to do
> nothing but set include_path outside the public site and then include
> a new, secondary file which actually contains the sensitive data?

As far as I can tell, it would give you almost the same security. Again
the only potential problem I can see is accidently disabling PHP which
you let your users see the filenames you're including. Then they'd have
a more accurate idea of where to look, in the non public parts of the
server. But at least now they'd have to somehow get local access, as
well as overriding the permissions that prevent users from peeking at
each others files (.. you do have permissions set like that, right?).

--
|\_/| ,(Meow) Jesper H. <xyborx+usenet@xyborx.dk>
(^.^)
`^' Sanity is an illusion

[Back to original message]