homepage Welcome to WebmasterWorld Guest from 54.204.142.143
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Creating a config file through PHP Form
permissions concerns
rover




msg:1284090
 1:50 am on Mar 15, 2006 (gmt 0)

I have a php script that creates a config.php file (with mysql database name, password, etc. in it) from user input into a form.

It is creating the config.php file with the permissions of 666. Will this be a big security problem? Does giving permissions with global write access make it more possible for others to get access to the username password information? Or does it just make it more possible for them to write over or delete the file?

I noticed that if I modify the script to chmod to 644, then it is no longer possible for me to change the file permissions or even delete the file through an FTP client like FileZilla because PHP has the file ownership which is different from the FTP owner.

Does anyone know the security implications of the config file having permissions set at 666?

 

ShoT




msg:1284091
 6:39 am on Mar 15, 2006 (gmt 0)

Not really no, is your database server "localhost"?

If it is, then you can access it only from THAT server which your hosting is on, some companies provide you with a server that is for example "database340.myhost.net", then theres a slight security hole because that means the hosting company allows access to that server from within their servers, so If Im in the same hosting company as you, I can easily set up phpMyAdmin using the details in your config.php and connect to your database. Otherwise, even when it comes to the CHMOD part, someone overwrites your databse, then just have a backup of it lying around and replace it, but its highly doubtful if someone does do so because then you can get your hosting company and/or the person that did it in a lot of trouble, now that it's called "Terrorism".

rover




msg:1284092
 6:31 pm on Mar 15, 2006 (gmt 0)

Thanks very much for your help. Yes it does run under localhost.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved