config files

Michael G

Hi,

I have a file outside of the web root and this file contains db
username/passwds, and other config stuff. I include this file as needed in
the scripts. Is this a secure way of doing this? Would the contents of
this file ever be visible to web users under normal or abnormal conditions?

Thanks, Mike

----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Jul 28 '05 #1

Subscribe Reply

1180

Andy Hassall

On Thu, 28 Jul 2005 07:31:43 -0600, "Michael G" <mi****@montana .com> wrote:

I have a file outside of the web root and this file contains db
username/passwds, and other config stuff. I include this file as needed in
the scripts. Is this a secure way of doing this?
Security is rarely absolute, but this is a pretty good method in most cases.
Would the contents of
this file ever be visible to web users under normal or abnormal conditions?

To web users - not under normal conditions, and it would take a severe bug to
show it under abnormal conditions (i.e. a page that due to a bug allowed direct
display of arbitrary files).

Note that this is not fully secure on a shared webhost if the other users of
that server (not web users - but server users) aren't trusted, as other users'
PHP scripts are likely to be able to access the file outside the web root if
they know where it is - it's got to be accessible to the webserver, and other
users may be using that webserver.

If the userbase of the server is trusted, this is fine - e.g. you have a
dedicated server. Even if not, you can make a judgement call as to whether
other users of the server would jeopardise their investment in hosting by
"hacking" other users on the same server.

There are ways of locking this down further, but you'd probably have to run
PHP as CGI so it ran under your own user credentials - but this has potentially
serious performance implications.

--
Andy Hassall / <an**@andyh.co. uk> / <http://www.andyh.co.uk >
<http://www.andyhsoftwa re.co.uk/space> Space: disk usage analysis tool

Jul 28 '05 #2

Raj Shekhar

"Michael G" <mi****@montana .com> writes:

Hi,

I have a file outside of the web root and this file contains db
username/passwds, and other config stuff. I include this file as needed in
the scripts. Is this a secure way of doing this? Would the contents of
this file ever be visible to web users under normal or abnormal conditions?

No it will not be visible to the web users
--
Raj Shekhar
blog : http://rajshekhar.net/blog home : http://rajshekhar.net
Disclaimer : http://rajshekhar.net/disclaimer

Jul 29 '05 #3

Similar topics

3831

ANN : ConfigObj 3.0.0 - Simple config file parsing

by: Fuzzyman | last post by:

There have been a couple of config file 'systems' announced recently, that focus on building more powerful and complex configuration files. ConfigObj is a module to enable you to much more *simply* access config files. This is version 3, which is a big overhaul. It extends ConfigObj to reading config files with sections and various other simplifications. I find ConfigObj extremely easy to use and use it for reading config files and data...

Python

3019

Why XML config files?

by: Daniel Billingsley | last post by:

Ok, I wanted to ask this separate from nospam's ridiculous thread in hopes it could get some honest attention. VB6 had a some simple and fast mechanisms for retrieving values from basic text files, which in turn could be simply and easily maintained with notepad. I understand the benefits of XML, really, but in the case of configuration files it seems it is almost always nothing more than unnecessary complexity, both in accessing them...

C# / C Sharp

1565

Me vs. VS2003 IDE Part 2: The config-settings that wouldn't die

by: Rolf Molini | last post by:

Hello everybody, I put this in a separate thread because altough it is connected to the localization-problem in my former thread this is a completely different "joke" of the IDE. While waiting for some hint on how to include my own ressources in IDE-generated satellite-assemblies (because there can only be on assembly per each language) I decided to try to use the XML-editor for the IDE-generated .resx-files again. I noticed that the...

C# / C Sharp

10575

can I set web.config to require authentication only for some files?

by: Bennett Haselton | last post by:

If I add this to my web.config file: <authentication mode="Forms"> <forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All" timeout="60" /> </authentication> I can configure the application so that users who try to access a page in the application, get redirected to login.aspx where they have to sign in. (And the "signing in" is handled in the codebehind page of

ASP.NET

2220

blackbelt web.config question - level 400

by: Jeffrey Palermo [MCP] | last post by:

I use web.config files in many directories, and my aspx files can access the AppSettings. If I have a subdirectory Foo with an aspx, and Foo has a local web.config that defines an AppSetting. My aspx in the Foo directory can properly access this local AppSetting. I understand that web.config files are cumulative as you go deep into the directory structure. Here is my situation. I have an aspx in the root of my application. I have a...

ASP.NET

3167

Publish Web site and the web.config

by: Graham | last post by:

I noticed a similar post awhile ago and in terms of my problem it wasnt a suitable answer so I will ask again. I have VS2005 running a on development machine in my office where I do all my development on existing and new applications. This environment also has its own Sql Server with dev versions of all our live Databases. Our live production server also its own Sql Server, these 2 Sql Servers are kept completely separate (for obvious...

ASP.NET

2570

Help! How do I Specify .config Information if my Assembly Client is a VB6 Application?

by: Joseph Geretz | last post by:

I need to download a greater than 4 megabyte attachment via WSE / DIME. The only way I know how to configure this is via a .config file. Normally, the ..config file is the same name as the base application. I built a .NET driver program to test this, NetBrokerDriver and provided a NetBrokerDriver.exe.config file which specifies the following: <messaging> <maxRequestLength>-1</maxRequestLength> </messaging>

.NET Framework

2629

why use special config formats?

by: tomerfiliba | last post by:

hey i've been seeing lots of config-file-readers for python. be it ConfigObj (http://www.voidspace.org.uk/python/configobj.html) or the like. seems like a trend to me. i came to this conclusion a long time ago: YOU DON'T NEED CONFIG FILES FOR PYTHON. why re-invent stuff and parse text by yourself, why the interpreter can do it for you? and anyway, i find this a very ugly format:...

Python

3453

Machine Config

by: TARUN | last post by:

Hello All I need to ask about the configuration file in .NET, There are Two config File 1. Web Config 2. Machine config I understand the the usage of Web config , but not able to understand the usage of Machine config. I read in the article that you can also write your database connection string in Machine Config

ASP.NET

1809

Windows Servcice and multiple config files

by: herbert | last post by:

In VS.2005 a Windows Service can have an app.config file. A class library can also have an app.config file. Now if my Windows Services uses three class libraries, each of it coming with its own app.config file, in which sequence are the app config files read in? eg What happens if there are trace switches of the same name with different values in those files? Or a the config files local to a VS project/assembly ? If so, they should not...

.NET Framework

9688

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

10268

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...

Online Marketing

10247

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

9079

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

7571

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

6809

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

5593

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

4146

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

3762

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP