Posted by robert on 05/06/06 00:34

| I notice that some php scripts I'm using contain passwords or email
| addresses, database login info etc. These are not in a cgi-bin, but are
in
| the root web folder or folders under that.
|
| I'm wondering: How secure are these bits of information from prying eyes?

you can set the permissions on any file/dir and lock them down tight...as
for getting the source via the internet, it depends on how you set up your
web server. how you secure it on your os determines how hidden it will be
from "prying eyes"...you could lock it from internet hackers but leave
yourself wide open to other kinds of hacks.

suffice it to say, most default setups for web servers and php make it
almost impossible to do what you're infering someone will.


| My understanding is that PHP is executed server-side, and will only
"write"
| to a browser what it is told to "write".
|
| but, otherwise, can php files in the root web folder be read or retrieved
by
| the general public? would this be more of a CHMOD or HTACCESS issue?

only half-truths to that comment. php is "told [what] to write" by having it
parse a php script (your php files, iow) that is given by your web server.
the only way a person can get the source of that file is by you allowing
directory listings on a dir in your document root path, ftp access, or not
having your web server pawn the request for said page(s) to php (which is
either compiled into the web server as a module or run as a cgi
application). you can intentionally build a php script that allows the
delivery of your site's source through a browser...but i don't think that's
what you're going for. ;^)

[Back to original message]