Welcome to WebmasterWorld Guest from 220.127.116.11
All of my PHP scripts are in the "public_html" directory.
Are there any scenarios where someone can obtain those scripts without executing them? (and thus get my complete login information for credit card processor)
Instead, place your password file outside of public_html.
If you move the file to 'secure' folder you can still include it from public_html by:
Anything in that directory is not accessible from a browser. Thus, it will be pretty secure from anyone accessing the server via a browser.
But keep in mind that depending on how the server's file system security is set up, other users on the server may be able to access those files through the file system. Ideally, they shouldn't be able to, but on some servers it's possible. But it would be inaccessible from a browser.
Your web server runs as user "nobody" or "apache" (if you're using Apache).
If a malicious intruder guesses the password for user "nobody" or "apache", they have read/write access to any file that "nobody" or "apache" has access to. Which means ...
They can now read/modify any file accessible by your web server's "user", including any files stored in directories accessible by "nobody" or "apache".
By storing the sensitive files in an alternate directory, preferably outside of the "normal" web server directories, you have the opprtunity to restrict access to sensitive files, or to at least establish a different authorization mechanism for those files, which reduces the chance that they will be compromised.
You can usually set up any authentication mechanism (i.e. mysql login) in a less-susceptible directory, and use the various PHP authentication mechanisms to get into those sensitive directories by using a different username/password combination from the default web server username/password combinations ... reducing the chance of compromise.
Check out the various encryption methods available to you in PHP, realizing that many of them have been compromised on a global basis, for specific instances at a very profound level. For example, SSH0, SSH1, MD5 and others have been found to be able to be compromised by very sophisticated, very specific ways ... probably not for you to worry about in day-to-day implementations, but worth researching.
joined:Apr 22, 2004