Ok. I am trying to create a php page that will access a mysql database on the same server, but want to make sure that no one can parse the information out of the connect statement to the database.

I know that I can use an include statement to pull $my_username, $my_password out of a file, but is there a way to put this file in a sub-directory that will only be accessible by apache and not by anyone trying to download the file directly?

I am guessing this is strictly a permissions issue. But if user:group apache:apache "owns" it, doesn't that mean that anyone on the web can access it?

thanks.

mattmc97

well, when you try to download the page, the web server will render the page to html, meaning that if you don't echo the variables, it shouldn't be viewable by others. Though i think there is a way to configure apache to have non-accessible folders for web use...not sure how to do it though

If the web server returns the page then the data will be there if they are not in script tags, or if for some reason the php engine is not working. However, if you are using apache you could try to use a mod_alias to redirect any direct access to the file that contains the password

This is actually for a guy that had asked on another forum that I frequent. I told him that basically you cannot view the php source since it is server-side, but I guess this is pretty sensitive information so he would like to put the information in a separate file in a protected directory.

Is there a way to use md5 password in a file or to protect a directory that only the webserver (apache) can get to but not someone requesting the file directly?

That is what I do not know, because as far I know the reason you give apache ownership is so that people can read it, so I don't know how you would give apache ownership without giving everyone the ability to read it, if the php did not render or if they tried to directly download it.

Any other insight would be great. I will look into mod_alias as well.

thanks.

mattmc97