Join Up! 104884 members and counting!

Login To PHPBuilder User Name: Password: Register A New Site Account * NOTE: This is for logging into the main site only! To login to the forums, click here

Linux Today Enterprise Linux Today Apache Today JustLinux.com Linux Planet PHPBuilder All Linux Devices Hiermenus DatabaseJournal Technology Jobs Covalent Extends Apache 2.0 to Microsoft ASP.NET ShopWorX - Support for Windows PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Network Risk Assessment Full-Featured, Java-Based Apache GUI In Case You Missed It... Optimizing Postgresql XHTML: Why You Should Be Using It How To Document Your PHP Classes PHP Development: Getting Started

php-db | 2001011

From: Rasmus Lerdorf (rasmus <email protected>)
Date: 01/06/01

• Next message: John Starkey: "[PHP-DB] PHP4 and PHP3 happy together?"
• Previous message: the_xeer <email protected>: "[PHP-DB] Database security with PHP"
• In reply to: the_xeer <email protected>: "[PHP-DB] Database security with PHP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I'm using PHP on a web-server which I administrate to access & change
> information in a database which is also stored on the server. This
> clearly means that the username and password for editing the database
> need to be accessible by PHP => need to be stored in a file which PHP
> can read. We also allow users on our network to create their own
> personal web-pages on this server, which is where my problem arises.
> Any user can, therefore, write a PHP script which prints out the
> contents of the file which contains my database username and password
> (since PHP must be able to read this file) and thus gain unauthorised
> access to the database. Is there any way of avoiding this? I need to
> provied all of these services on one machine (i.e. obtaining a
> separate machine for user web-pages is not feasible). Ideas anyone? (I
> expect this is a common problem so hopefully someone can help!!!)

Please use carriage returns in your emails so we can actually read them.

As for your question, I would simply run two Apache instances as different
user ids. Have one for the public server and another for the
administrative stuff. That is the most secure solution.

Another way is to turn on safe-mode. safe-mode checks the owner of the
script being executed and prevents it from accessing files owned by
another user id.

-Rasmus

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: php-db-unsubscribe <email protected>
For additional commands, e-mail: php-db-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

• Next message: John Starkey: "[PHP-DB] PHP4 and PHP3 happy together?"
• Previous message: the_xeer <email protected>: "[PHP-DB] Database security with PHP"
• In reply to: the_xeer <email protected>: "[PHP-DB] Database security with PHP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Columns / Articles | Tips / Quickies | News | News Linking and RSS Feeds | Shared Code Library Mail Archives | Support / Discussion Forums | Get Started! Links | Contribute! | Docs