Best policy for connections.php

[calabiyau]

Okay, so i'm saving my connections in a php file and storing it above my root directory.  Is it safe here and if not from whom?  People on my shared hosting?  What can be done about that?  Thanks!

[HoTDaWg]

well there are little tricks of securing certain files. for example, what the forum PhpBB does is it defines something on the index.php file. then, if there is a file it wants to protect, they secure it by doing this:
[code]
<?php
if(!defined['securitydefinition']){
  echo "hacking attempt";
  exit();
}else{
//db info
}
?>
[/code]
not really the best way to secure, but still helps.:D

[EKINdesigns]

Visitors cannot view php content.  The only way they would be able to get the information inside the file is by logging in to something like FTP.

[calabiyau]

Okay so what about this little piece from an article I read:

A huge number of people have purchased web hosting accounts on shared
servers - servers where your account is only one of many. Advice against
"storing sensitive data in the web tree" is of limited benefit if you
share a server with other accounts; the advice only protects the files
from being accessed via the web server program itself. It doesn't protect
the files from access by other means, such as PHP scripts written by
other people sharing the same server.


Unlike CGI scripts, all PHP code runs as the userid of the web server,
no matter in whose account it resides. That means that if *you* write
a PHP script that can access a file on your server, *anyone else* on
the same server as you can write a PHP script to access the same file,
in the same way.

I mean, how would this be done?  I am not trying to learn how to do anything malicious here, but really don't understand how they could get access to  your file and if it an actual php file what they would do to read your connection settings.  How can you ever feel secure if this is the case.  I am trying to set up an ecommerce solution for a friend of mine, with payment to be made through paypal.for use by the spring.  Nothing major, just sell a few items at a time. So i've got alot of work done and it is pretty secure from a lot of common attacks, and I figure 4 months is a lot of time to really secure it, but he is on shared hosting environment.  Does this mean that php and shared hosting is simply not secure enough for even basic e-commerce?

[genericnumber1]

such as if your script is at
"/var/apache2/users/calabiyau/htdocs/includes/connections.php"
and I'm
"/var/apache2/users/genericnumber1/htdocs/"

I could do something like
require("../../calabiyau/htdocs/includes/connections.php");

I haven't seen any public web servers nowadays that dont stop this kind of thing though... i've never had to worry about it.