not necessarily

if the file is included then they get output, not raw code, if they know the varnames they can very well access them

You could easily get the variables by using get_defined_variables [us3.php.net], couldn't you?

Maybe you want to unset [us3.php.net] the variables at the end of the included file so that they cannot be used again.

[edited by: eelixduppy at 8:52 pm (utc) on Dec. 21, 2006]

And what about updating and viewing MySql?

If you unset the variables that deal with mysql, and close [us3.php.net] the connection, I don't see a problem with it.

>> get_defined_variables

that's the one I was trying to think of

why do you think someone would be able to include your file?

store it above the root

If someone is able to access your PHP script on the local server, then yes, they can get your database password, and your php code.

So you need to prevent them from being able to access it. On a shared server, that's probably impossible, because the Web server needs to be able to access it, and anyone else with a Web account on that machine can run a script with the server's permissions.

Actually, I think one of the shared hosts I used to use got around that problem by running separate server processes under each user's account.

But if by "someone", you mean someone elsewhere on the Internet, then no, they can't retreive anything except the text output of your script.