Quote Originally Posted by DoubleDee View Post
In another thread of mine, people were saying that PHP Constants are "global", but I don't think that is true since you have to Include them in order for them to be seen.

It would be nice if *outside* the Web Root I could do this...

DATABASE_SETTINGS = '/var/www/vhosts/MySite.com/SECRET_FOLDER_OUTSIDE_ROOT/database_settings.php';


And then in any script, just say...
Code:
	require_once(DATABASE_SETTINGS);

That way, when some script says the "magic word", the PHP gods from above know to link the file from above the Web Root to the script in the Web Root, but anyone who get's access to the script's contents would only see the obscure reference to...
Code:
	require_once(DATABASE_SETTINGS);

Follow my line of thinking?
Yes, but if I can read your file, you've got bigger problems than worrying about the location of your files. Next time you have it up, I potentially know all of the SQL, XSS, and other vulnerabilities of your site (as I was shown the source code). I also know variable to use to include your database settings, so I could simply execute a script that read the contents of DATABASE_SETTINGS and wrote it out, thus seeing what the file contains.

If you see value in that approach, use it. But if you have a file injection vulnerability, then outputting the value of DATABASE_SETTINGS is child's play.

Quote Originally Posted by DoubleDee View Post
Off Topic:

I know most people don't care or think I'm paranoid, but I'm telling you that hackers in 2013 have taken the game to a WHOLE NEW LEVEL, and what was sufficient 5 years ago just doesn't cut it today!!

And *if* I am ever going to finish this website and get it online, and let thousands of innocent people trust their sensitive info with my website and database, then I want to go above and beyond the call of duty and really go out of my way to protect people's info!!!

Like everything out there, I am sure there are better solutions, it is just a real challenge to try and out-fox modern day hackers?!
Moot point. In 5 more years, the hackers of today will be put to shame by the hackers of 2018. If you sit and wait for a perfect site, you'll never publish anything, as there is no such thing (just read the news).

Quote Originally Posted by DoubleDee View Post
So, sorry for wanting the world, but I just see so many websites fail these days, and I don't want to take any shortcuts and then later jeopardize my customers' data...

To date, it has been my experience that if I try hard enough, I have always been able to find solutions that are rock-solid and that keep things safe.

But on this thread, I obviously need some help!!
There is nothing wrong with wanting the world, until you get to the point of an unobtainable goal. You are at that point. You need to start moving forward. Establish procedures for resetting customer passwords (if they would get breached), etc.