Quick question

alfoxy

Hello all
Im trying to stop people viewing php scripts that have password and stuff in them .
I found this article about it but im not sure which bit is the secure bit ?
------article------
By turning on safe_mode and defining doc_root and user_dir, you can eliminate the nosey user problem by restricting him to files contained in his virtual host document root.
The following is an example of how the php.ini file might look for these three directives:

safe_mode = On
doc_root = /usr/local/apache/htdocs
user_dir = /home/jdoe/htdocs

Do i put my php scripts in /home/jdoe/htdocs or the other one or how does this work ?

Any help or explination would be great
Thanks
Al

crusty_php

See this thread on devshed

http://forums.devshed.com/showthread.php?s=99e4c269fd1d8ed4107cad3e8f74d3db&threadid=20525&forumid=5&highlight=security+view+code

and this

http://forums.devshed.com/showthread.php?s=99e4c269fd1d8ed4107cad3e8f74d3db&threadid=18213&forumid=5&highlight=security+view+code

alfoxy

Thanks for your help
Al

alfoxy

How do YOU protect your database login and password ?

crusty_php

The're in an include file outside my web folder.

alfoxy

But whats to stop someone typing wherever/connect.ini or whatever its called into the browser window ... then they'll be prompted to save it or it'll be viewed as a text file ?

crusty_php

The web (htdocs) folder is the root as far as people browsing a web site are concerned, you cannot get to a higher level in the tree.
Never keep anything in a .inc file that you don't want to give away, use instead .php files.

alfoxy

thanks for your time martin