Msg#: 12121 posted 1:50 am on Mar 15, 2006 (gmt 0)
I have a php script that creates a config.php file (with mysql database name, password, etc. in it) from user input into a form.
It is creating the config.php file with the permissions of 666. Will this be a big security problem? Does giving permissions with global write access make it more possible for others to get access to the username password information? Or does it just make it more possible for them to write over or delete the file?
I noticed that if I modify the script to chmod to 644, then it is no longer possible for me to change the file permissions or even delete the file through an FTP client like FileZilla because PHP has the file ownership which is different from the FTP owner.
Does anyone know the security implications of the config file having permissions set at 666?
Msg#: 12121 posted 6:39 am on Mar 15, 2006 (gmt 0)
Not really no, is your database server "localhost"?
If it is, then you can access it only from THAT server which your hosting is on, some companies provide you with a server that is for example "database340.myhost.net", then theres a slight security hole because that means the hosting company allows access to that server from within their servers, so If Im in the same hosting company as you, I can easily set up phpMyAdmin using the details in your config.php and connect to your database. Otherwise, even when it comes to the CHMOD part, someone overwrites your databse, then just have a backup of it lying around and replace it, but its highly doubtful if someone does do so because then you can get your hosting company and/or the person that did it in a lot of trouble, now that it's called "Terrorism".