Protecting db_config file

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
sp2hari
Forum Newbie
Posts: 14
Joined: Fri Jan 13, 2006 3:54 am

Protecting db_config file

Post by sp2hari »

My server needs others to allow upload php files ( any file for that matter).:cry:

I have a db_config file where i have put up the myqsl password.:cry:

Now is it possible for me to protect my db_config file even if people upload a file browser into the server . :?:
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

restrict the upload destination(s), then create a .htaccess file for each directory with the following:

Code: Select all

order deny,allow
deny from all
You can add to the end a line for allow from <your ip address> if you want to have access from your connection to browse and execute and files in that directory. Alternatively, you can move_uploaded_file() to a directory above the document root - this way the files are safely out of the public domain.

Or for another alternative, use chown() to adjust the permissions of the file to deny access.

Then create, or use one of the existing, file browsers for PHP to allow users to see what files have been uploaded.

For your db_config file, keep it above the document root - the include/require function can include a file from anywhere that the php engine has access to, so it doesn't need to be in the public domain.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Exactly. Make sure, under no circumstances, can the stuff they upload be executed.
Post Reply