RE: [cobalt-users] Severe Security Problem Between Sites

[Joe Kerns <joe@xxxxxxxxxxxxx>]

> > > are readable (skripts often have to contain passwords) and data files
> > > where scripts write to are even writeable.
> >
> > Storing passwords in plain text...once again, a bit of slopy
> > programming.
>
> I agree, but I don't know any other way. How do you add your passwords
> for MySQL databases in PHP skripts?

I get the digest so excuse me if this has been addressed. You should use include files with PHP/MySQL
(which MySQL doesn't come installed, you break your warranty doing installing that). Then your include
files should be in a non-world readable directory (i.e. require
("/home/sites/siteXX/someinclude.inc"); ). Only the script then can get to it, even if your PHP doesn't
work. So all your U/P info is in the include file.

Course, you'll say telnet users can get to it. Do what everyone else does and DISABLE telnet for
everyone but the box admin. People should not be developing on your production web-server. That makes
ZERO sense...you can chmod from FTP clients like CuteFTP, so there isn't a huge need for the average
user.

PHP can be run a little more securely, check the manual at www.php.net. There's a section on security
and how to do Apache module PHP a little more securely than wide open.

On the breaking the warranty thing, search for a post by Lyle Scheer last year. If you break something,
you should have made a back-up copy prior to mucking it up. Back up to that point and determine what
was wrong. Don't muck with something unless you have a known good copy to revert to.  Common sense
(course, I learned it the hard way, too...<g>)

Joe