Kirk.Johnsonzootweb.com
Date: Tue May 16 2006 - 17:07:32 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

John Madden <chiwawa999yahoo.com> wrote on 05/15/2006 12:07:57 PM:

> Is it standard to use INC files to store MYSQL db
> connections settings (username and password)?
>
> What else could you do to make this "safer" ?

Summarizing the responses so far, four approaches to this problem have
been offered:

1. Make include files parseable as PHP, through a combination of filename
extension and httpd.conf.
2. Deny requests on include files, through a combination of filename
extension and httpd.conf.
3. Locate include files outside document root.
4. Use the mod_security package.

One potential issue with #1, seldom mentioned, is that include files may
then be executed out of context. You will have to be the judge if that is
a problem for each of your include files.

Any solution through httpd.conf (or other configuration) relies on the
"perfectability of man": the configuration must be re-created when the
server is rebuilt, the new trainee takes over, etc. I have personally seen
this approach fail when the configuration was not carried along during a
version upgrade.

I will cast my vote for #3, when it is possible to do so. Chris Shiflett
[Essential PHP Security] also recommends this as the primary approach.

Kirk

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security
assessment by leading market research firm. Watchfire's AppScan is the
industry's first and leading web application security testing suite, and
the only solution to provide comprehensive remediation tasks at every
level of the application. See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]