Hide database access data
Posted: Fri Nov 30, 2007 6:53 am
I think this is generic to all PHP packages that use a database (MySQL, typically) but I know it holds for PHPBB2 and Wordpress: Database access information is stored - in plain text - in a PHP file: config.php for PHPBB2, wp-config.php for Wordpress. It contains database access information: username, password, host and prefix.
Since this file needs to be readable by the webserver, anyone that gains access to the directory will have read access to this file, and malicious users may find a way into your database (if not worse) using this data.
On VMS, it's easy to secure it and have all working nicely - look at http://www.grootersnet.nl/sysblog/?p=184. All my blogs and forums are secured this way.
Since this file needs to be readable by the webserver, anyone that gains access to the directory will have read access to this file, and malicious users may find a way into your database (if not worse) using this data.
On VMS, it's easy to secure it and have all working nicely - look at http://www.grootersnet.nl/sysblog/?p=184. All my blogs and forums are secured this way.