[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OT]Re: [Forward - t-l-engh@online.no: New game project: Civ clone]

On Thu, 5 Aug 1999, Paul Tiseo wrote:

> 	I didn't write it. Soren, from the sunsite staff wrote it, and I guess it
> somehow still needs debugging. It's not in any of linuxgames's folder but
> resids elsewhere. It's basically a php include that you call via the
> require() command and contains the function connect() and disconnect() for
> attaching specifically to our database. Else, the host, db name and
> password would be found in the php file the website user calls. While you
> could restrict access to the php source, I guess a malicious hacker could
> get at the file and then wreck our db. By placing the whole password db
> connect thing in another file in a more secure location, you can cut down
> on this.

You not only should place the script containing db username/password in 
another directory, you should place it in a directory that does not get
served by the webserver. PHP has "global" includes (global relative to the
virtuel site (assuming apache here)) that can be used for this purpose,
like e.g. this here;

<VirtualHost dql.challenge.dk>
  ServerAdmin webmaster@challenge.dk
  DocumentRoot /home/dql/dql.challenge.dk/public_html/
  ServerName dql.challenge.dk
  ErrorLog /var/log/httpd/dql.challenge-error_log
  TransferLog /var/log/httpd/dql.challenge-access_log
  ScriptAlias /cgi-bin /home/dql/dql.challenge.dk/public_html
  php3_include_path .:/home/dql/dql.challenge.dk/include

as you can see, the php3 include path is not part of the web "servable"
tree. . is, as well as a proper include directory.

Another thing you could do, is disable network connections to the database
server. (I believe most db servers support this.). This way, only local
(like the webserver process) and auth. process can access the database.


Mads Bondo Dydensborg.                               madsdyd@challenge.dk
When a single line of script in Linux can do things that'd keep you 
pointing-and-clicking forever in Windows, you have great motivation to learn 
that line of script.
                                        - Chris Worth on The Microsoft Matrix