haaglin Posted November 15, 2006 Share Posted November 15, 2006 Hi. I'm looking for a good way of protecting my config files that contains mysql passwords from being read by other customers on the same host as i use. As a test i made a config file, and uploaded it on my user. And i used another account to upload this script: [code]<?php$filename = realpath("path_to_config.php");$handle = fopen($filename, "r");$contents = fread($handle, filesize($filename));fclose($handle);echo '<textarea name="textareaName" rows="46" cols="103">'.$contents.'</textarea>';?>[/code]And i was able to read the file? Is this a host security issue? or can i do something to prevent reading?I tried to deny world read access, but then apache didn't have access to it. This is a huge security issue. Link to comment https://forums.phpfreaks.com/topic/27350-prevent-read-access-of-config-files/ Share on other sites More sharing options...
trq Posted November 15, 2006 Share Posted November 15, 2006 [quote]I tried to deny world read access, but then apache didn't have access to it.[/quote]That shouldn't be right. What permissions have you set? Link to comment https://forums.phpfreaks.com/topic/27350-prevent-read-access-of-config-files/#findComment-125043 Share on other sites More sharing options...
haaglin Posted November 15, 2006 Author Share Posted November 15, 2006 I used 640. I tried many compinations, but i needed read access on world to allow php to include the file. Link to comment https://forums.phpfreaks.com/topic/27350-prevent-read-access-of-config-files/#findComment-125083 Share on other sites More sharing options...
The Little Guy Posted November 15, 2006 Share Posted November 15, 2006 Guide to password protect fileshttp://home.golden.net/htaccess.html Link to comment https://forums.phpfreaks.com/topic/27350-prevent-read-access-of-config-files/#findComment-125086 Share on other sites More sharing options...
haaglin Posted November 15, 2006 Author Share Posted November 15, 2006 Thanks, i'll look at that one. will people be prompted for pass when its included in another script? Link to comment https://forums.phpfreaks.com/topic/27350-prevent-read-access-of-config-files/#findComment-125113 Share on other sites More sharing options...
The Little Guy Posted November 15, 2006 Share Posted November 15, 2006 I don't think so... But you will have to try. Link to comment https://forums.phpfreaks.com/topic/27350-prevent-read-access-of-config-files/#findComment-125118 Share on other sites More sharing options...
haaglin Posted November 15, 2006 Author Share Posted November 15, 2006 It only denied access to the directory, not reading the file with php. :-\ Link to comment https://forums.phpfreaks.com/topic/27350-prevent-read-access-of-config-files/#findComment-125128 Share on other sites More sharing options...
The Little Guy Posted November 15, 2006 Share Posted November 15, 2006 Try this: in the .htaccess file:change: [b][Ll][Oo][Gg][/b] to the extension that you want, this blocks all files with the extension log, Log, LOG, lOg, loG, etc. You may want: [b][Cc][Oo][Nn][Ff][Ii][Gg][/b]change: [b]*[/b] to the filename, or leave as * to apply this to all the extensions.[code]<Files ~ "^.*\.([Ll][Oo][Gg])"> Order allow,deny Deny from all Satisfy All</Files>[/code] Link to comment https://forums.phpfreaks.com/topic/27350-prevent-read-access-of-config-files/#findComment-125133 Share on other sites More sharing options...
haaglin Posted November 15, 2006 Author Share Posted November 15, 2006 Thanks, but php is still able to read the file. To explain further, here is an example: www.domain1.com:[code]root: /var/www/web1/web/file: /var/www/web1/web/config/constants.phpconstants.php:<?define("MYSQL_PASS","123456789");?>[/code]www.domain2.com:[code]root: /var/www/web2/web/file: /var/www/web2/web/test.phptest.php:<?php$filename = realpath("../../web1/web/config/constants.php");$handle = fopen($filename, "r");$contents = fread($handle, filesize($filename));fclose($handle);echo '<textarea name="textareaName" rows="46" cols="103">'.$contents.'</textarea>';?>[/code]Outputs the content. Link to comment https://forums.phpfreaks.com/topic/27350-prevent-read-access-of-config-files/#findComment-125150 Share on other sites More sharing options...
haaglin Posted November 16, 2006 Author Share Posted November 16, 2006 *bump* Link to comment https://forums.phpfreaks.com/topic/27350-prevent-read-access-of-config-files/#findComment-125520 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.