Re: config files

On Thu, 28 Jul 2005 07:31:43 -0600, "Michael G" <mike-g@montana.com> wrote:

>I have a file outside of the web root and this file contains db
>username/passwds, and other config stuff. I include this file as needed in
>the scripts. Is this a secure way of doing this?

 Security is rarely absolute, but this is a pretty good method in most cases.

>Would the contents of
>this file ever be visible to web users under normal or abnormal conditions?

 To web users - not under normal conditions, and it would take a severe bug to
show it under abnormal conditions (i.e. a page that due to a bug allowed direct
display of arbitrary files).

 Note that this is not fully secure on a shared webhost if the other users of
that server (not web users - but server users) aren't trusted, as other users'
PHP scripts are likely to be able to access the file outside the web root if
they know where it is - it's got to be accessible to the webserver, and other
users may be using that webserver.

 If the userbase of the server is trusted, this is fine - e.g. you have a
dedicated server. Even if not, you can make a judgement call as to whether
other users of the server would jeopardise their investment in hosting by
"hacking" other users on the same server.

 There are ways of locking this down further, but you'd probably have to run
PHP as CGI so it ran under your own user credentials - but this has potentially
serious performance implications.

-- 
Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool