Forum Moderators: coopster
I am sure if I want to use this program safely I am going to have to figure out a way to protect the info on the config.php from at least amateur hackers. Is there a way to do this so I can still have my gallery?
Thank you, all help is always appreciated.
even if hackers access it directly, it wont show anything to them
If they do get a look at it, is what they see encrypted?
Thank you.
<?
$thisPassword="*****";
$thatPassword="*****";
$thisSetting="*****";
$thatSetting="*****";
?>
and no matter what else, unless you are not doing an echo for those variables it wont show if someone loaded the file in browser, all they will see is a plain blank page.
This script will do that:
<?php
include('http://www.yoursite.com/config.php');
$vars = get_defined_vars();
print_r($vars);
?>
A simple way to provide some protection against this is to define a variable in your pages and check whether this is set in the config file.
index.php:
<?php
define('TRXASDFA','aljsjkas'); // These are just two random strings... Make them unguessable.
include('config.php');
?>
config.php:
<?php
if(!defined('TRXASDFA') ¦¦ TRXASDFA != 'aljsjkas')
die();
$thisPassword="*****";
$thatPassword="*****";
$thisSetting="*****";
$thatSetting="*****";
?>
To answer your intital question cooldogs, it does create somewhat of a security issue, but using config files is a very common thing and most scripts use them.
<?php
include('http://www.yoursite.com/config.php');
$vars = get_defined_vars();
print_r($vars);
?>
MattAU, i am sorry but i totally disagree. For all what i have learnt i think it is Impossible to do that, you can not get my server's any config like that. if you include any file using "http" then there is no concept of any PHP code being sent to you if my server is running fine. try that for your own page, include your own config.php via http:// and lets see if you can get those variables. It has to be a code file include like
include "config.inc.php"
that will do what you 've mentioned.
I am willing to bet 100$ on that ;)
and i can StickyMail you my config file's url for a test
[edited by: Anyango at 5:19 am (utc) on Oct. 12, 2008]
No more posting on Sunday mornings after big Saturday nights!
Even so it was helpful for topic and the Member who asked it, i am sure it clearified his concept further.
But now I'm a little confused about something ... is the below true?
[quote]A page on my site that can get your password details.[/[quote]
Also, I was wondering what you thought of the idea of using an .htaccess file in the same sub-directory where the config.php file was, does that render it inoperable in any way? Below is the code I found that is supposed to go in the .htaccess file ... the whole thing is for a photo gallery, so the php script sent to me to do so including for back end management would still have to be able to function.
<Files ~ "^\config.php">
Order allow,deny
Deny from all
</Files>
dc
But now I'm a little confused about something ... is the below true?
Nopes, that is not true, it will not happen and you are secure.
But to "feel" more secure go ahead with dreamcatcher's suggestion, its simple and solid.
Why not simply pop the config file outside the web root?
I love an easy solutions that works :)
I will definitely look into that, only thing is I'm a little technically challenged and the config.php is part of a php script setup that I bought to be able to have a photo gallery, I'll have to delve into it and see if I can make that adjustment on my own with my limited abilities.
I can do an .htaccess file and I do currently have one of those, if the above .htaccess solution is good enough, I know I can do that. What <i>did<i> you'all think of the .htaccess idea.
Thanks
