>> sigsegv I am sure you are very clever
Why thank you. I like to think so.
>> and obviously well versed in Linux and to a much higher level than
>> me. But comments like "Oh come on guys ... this is an easy one"
>> just annoy me. If I understood, I wouldn't ask the question would I?
I had no idea your skin was so thin ... Apologies all around.
>> Having got the grievance out of the way lets get to the point.
>> You need to explain yourself else the information you are trying
>> to put across is useless because I don't understand you and
>> probably the other people as well.
You're making assumptions about the other people in this forum and their level of aptitude to the conversation at hand. Isn't that what I was being chastised for only moments ago?
>> We have a miscommunication problem here. So you need to get
>> into some basics so I understand the logic of what you are saying.
>> I'll try again to explain what I see as the problem.
>> You have a page that has html code in which is embedded php code to
>> access a particular database and in that php code is the user name and
>> password to connect to the database. Now that page is world readable
>> otherwise it becomes useless. So far we agree.
No we don't.
The PHP code on the server isn't world readable. It should be owned by the user that owns it (duh) and the apache group. If more than one user needs access to the files, then you create a new group and make user1 and user2 members of it, and then apache can own the files with read only access while the users have rw- and rwx. In any case, there should be *no* world readable files that contain username/password info.
The HTML code that the PHP preprocessor spits out isn't world readable. It's generated in memory and then handed to apache to give to the client. The page that the client gets (usually) never exists on disk when discussing PHP.
"World readable" on the Apache server machine's local filesystem means something *completely* different. World readable source files living on the hard drive is what the OP is asking about.
>> Any browser is capable of showing the source code of the page
>> and divulging the name and password to the that database.
No it isn't.
The HTML source that the client browser sees and the PHP source that lives on the server is (again, usually) two totally and completely different things.
>> So what is stopping me using an application like phpmyadmin
>> to access the database.
The fact that you don't have a password, a username, or (most likely) a network path back to tcp/3306 on the MySQL server you want to take over.
>> Could you explain simply how you either prevent someone
>> viewing the source of the page or getting access to the database.
My previous post(s) pretty much already have.
>> I have several informational databases that I don't want others
>> messing with as they are mine and I want to control what is in
>> there so it must only be readable.
If you have multiple users on your systems and they can cat /home/user/public_html/somefile.php
, that's bad. See my first post again.