[pmwiki-users] Keeping MySQL passwords safe
Ben Stallings
ben at interdependentweb.com
Thu Apr 10 11:56:57 CDT 2008
Julius wrote,
> While installing the UpdateForm recipe (for interfacing with a mysql
> database), I bumped
> into a security issue. On
> http://www.pmwiki.org/wiki/Cookbook/UpdateForm is says:
>
> 3. Define (either in the script or in config.php) the constants
> DB_SERVER, DB_NAME, DB_USER,
> and DB_PASS to match your database, like so:
>
> define ('DB_SERVER', 'db1.example.com');
> define ('DB_NAME', 'my_database');
> define ('DB_USER', 'my_username');
> define ('DB_PASS', 'my_password');
>
> But I prefer to not store these inside my web/doc root.
> What is the best option to do this then?
>
> Should I best put
>
> require_once("../dbinclude.php");
>
> in /local/config.php or in updateform.php ?
> where dbinclude.php is:
> <?php include("/home/path_to_dbase_access_variables_stuff.php"); ?>
>
> or will the require_once cause trouble and should I use the include directly?
Hi, Julius. Require and include do basically the same thing, so there's
no need to require a file that does nothing but include another file;
you might as well do it in one step.
However, I question whether what you're suggesting will do any good,
since the file with the passwords in it has to be readable by the Web
server in order to be included by PHP, and as I understand it, that
means it will also readable by anyone who has access to your Web
document root directory. I haven't tried it, though, so I may be
mistaken. Let me know what you find out!
Ben Stallings
Interdependent Web
More information about the pmwiki-users
mailing list