-
I have a client that brought to my attention a very interesting problem.
If he has a website (www.domain.com) and he has a php page on it (order.php) that connects to the database. He has the user and pass in the page.
ok.
This is a linux server.
It seems that another person on the server could just figure out what directory he is in.
Then just do "vi order.php"
so they could read the user and pass and then connect to the database and steal information.
or even steal the scripts
I hope I explained this ok.
Does anybody have a solution to this?
I sure hope so.
Visit http://phphost@mybizhosting.com for great deals
-
He should chmod the file so that only he and the root user (which presumably is running the Web server) can read the file.
-
I am a total newbie so I can give you only a simplest tips:
1. The httpd (Apache) runs on "root" level but all processes which are serving for connections run on "nobody" level (default setting) and the PHP script must be readable for that user.
2. Never put a mysql_connect() call directly in your PHP script, because if the PHP module accidentialy stops working your script will be sent to a user's browser (and your password too). To avoid it use the include() function in PHP and put this included script in the directory not available for browsing, ie. outside the html root directory), eg. :
<?php
...
include("../classified/MySQL_access.inc");
...
mysql_query($sql,$db);
...
?>
This solution is recommended in the php or MySQL manual. I assumed that your script is in the html root directory.
3. Then you can restrict the "classified" directory and all files into it to only the "nobody" user and it should made the trick. Even if another user read your PHP scripts it would be unable to find your MySQL password. Check if the "nobody" account has set up password (you don't need to know it if it is set up by default to some random string).
Regards
Chris
