[thelist] RE: PHP Problem

Oliver Lineham oliver at lineham.co.nz
Fri Nov 17 19:20:50 CST 2000

At 19:40 17/11/2000 +0100, you wrote:

>Some day the database quitted its service for some hours, and when I
>looked at the pages, I was a bit shocked: The error message pointed
>to the include file, and when I clicked on the URL which was shown,
>voilà - the include file *with db password* was presented!

a) did the include file have <?php and ?> around the php code?

b) what was the suffix of the include file?

if it wasn't .php3 or something, your system was always vulnerable from 
someone guessing the path to the include file.

there are two recommended solutions:

- name include files with a php suffix so that if someone loads it 
directly, it gets parsed by PHP and sensitive data (like passwords) doesn't 
get displayed.

- files with sensitive code should be stored outside of the web root (so 
people can't access the file directly with a browser).  then, even if your 
webserver stops parsing PHP files (maybe the server got upgraded badly) 
people still can't access the file.

these two techniques also apply to ASP.


     v i b e   m e d i a    http://www.vibe.co.nz/
  po box 10-492              wellington, new zealand
  phone +64 21 210-7845         oliver at lineham.co.nz

More information about the thelist mailing list