[Phpwm] Basic PHP Query (Very basic!)
David Goodwin
david at codepoets.co.uk
Thu Apr 27 14:39:37 BST 2006
> The best way really to manage site database passwords is to have an included
> file which holds bits like passwords and configuration settings such as
> siteadmin's email addresses in a different subdirectory, with some form of
> index file in there so no one can see whats its called.
I prefer to have a file called e.g. config.php which looks like :
<?php
$username = "bar";
$password = "foo";
$email = "spam at yahoo.com";
....
?>
You can then load the config in all scripts by doing a simple :
require_once("config.php");
Even if someone can guess the right file name, they won't be able to see
the contents as php will interpret the file, and output nothing.
Just don't call the file config.inc, as this will normally be returned
to the browser as a text file - allowing anyone to see the contents
(once they guess the name that is).
Calling the file something like config.php makes it obvious to a
maintainer what it does, is easy to find (and almost a defacto standard).
Hiding a file in a 'random' directory provides no real security, and
index files provide only moderate protection - if your app is
distributed to many people a (cr|h)acker would eventually cotton on and
know where to look.
David.
--
David Goodwin
[ david at codepoets dot co dot uk ]
[ http://www.codepoets.co.uk ]
More information about the Phpwm
mailing list