[prog] PHP script security

[J Neefer!]

On Aug 13, 2003 at 01:30PM (-0400), Kristin M. Fitzsimmons 02 said:
> 
> I'd also like to know if there's a more secure way of doing this sort 
> of thing -- I haven't found anything to suggest that this method isn't 
> ok, but that doesn't necessarily mean there isn't something better out 
> there. ;)

All my DB connect stuff is in a global include file (dbname, username, 
password, server, etc) because I hate having replicated code and/or static 
variables.  :-)  Plus, I use PEAR, which is DB-independent, so if I switch 
from postgres to mysql, all I have to do is change the value of $dbtype 
in my globals file and everything automagically still works.

I name all of my .inc files .inc.php because if you put in the
URL of an .inc file, the browser will display the source code.  If
I put <?php ?> around the entire contents of the file, then name
it .inc.php, when the browser retrieves it it will be rendered
as an empty page.

This is at least a few steps more secure than the standard way of
embedding it in the script, but probably won't stop the serious
3v!L H@><0r from getting the info.

I'll have to test out the earlier suggestion of making the file
non-accessible to apache, but still readable by PHP.  I'm not
sure if that is possible in our configuration.

--Neef!

-- 
When the gods passed out biological clocks, I went back in line for 
a second helping of brains."  --me 6/19/2001