setting include_path on shared server

Chuck Anderson

My shared host used to have Php configured such that I could place a
php.ini file into any directory on my site and that was the php.ini file
that the Php cgi would use when it ran scripts.

Since upgrading to Php5.1 that is no longer possible (not allowed in
Php5.1 (?) ).

Anyway, ... this was a very handy way for me to set the include path so
that I could keep files with sensitive data (e.g., database usernames,
passwords) out of the site's public path.

My hosting service has actually rolled back to Php5.0 so that I could
continue doing as I had been ... with the caveat that they will
ultimately have to go with 5.1.

So, I have a set of questions.

1. Is there another way that I can set the include path globally for my
site? (Adding them to htaccess throws a 500 server error.)

2. How much security is really gained by moving sensitive include files
out of the site path (my include files all use the .php extension)?
Should I even be that concerned about this capability?

3. Would I gain the same security if I changed my current include files
(which I would have to put back into the public site path) to do nothing
but set include_path outside the public site and then include a new,
secondary file which actually contains the sensitive data?

4. Does anyone know why I *can* use local php.ini files in 5.01 and not
in 5.1?

--
*************** **************
Chuck Anderson â€¢ Boulder, CO
http://www.CycleTourist.com
*************** **************

Aug 7 '06 #1

Subscribe Reply

2293

Jesper H.

On 2006-08-07, Chuck Anderson wrote:

1. Is there another way that I can set the include path globally for
my site? (Adding them to htaccess throws a 500 server error.)

Like this?

php_value include_path "whatever"

If it doesn't work, then a vague part of my memory says that Apaches
AllowOverride directive might be the problem. Unfortunately I don't
remember the minimal setting needed for php_value and such to work. You
would need to contact the admins to have it changed.

2. How much security is really gained by moving sensitive include
files out of the site path (my include files all use the .php
extension)? Should I even be that concerned about this capability?

The only potential risk I can see is if the admins accidently disable
PHP processing, e.g. while updating some configuration files. So I'd say
it depends on how competent and alert the admins are. Still, even with
good admins, I'd better be safe than sorry.

3. Would I gain the same security if I changed my current include
files (which I would have to put back into the public site path) to do
nothing but set include_path outside the public site and then include
a new, secondary file which actually contains the sensitive data?

As far as I can tell, it would give you almost the same security. Again
the only potential problem I can see is accidently disabling PHP which
you let your users see the filenames you're including. Then they'd have
a more accurate idea of where to look, in the non public parts of the
server. But at least now they'd have to somehow get local access, as
well as overriding the permissions that prevent users from peeking at
each others files (.. you do have permissions set like that, right?).

--
|\_/| ,(Meow) Jesper H. <xy***********@ xyborx.dk>
(^.^)
`^' Sanity is an illusion

Aug 8 '06 #2

Chuck Anderson

Jesper H. wrote:

On 2006-08-07, Chuck Anderson wrote:

>1. Is there another way that I can set the include path globally for
my site? (Adding them to htaccess throws a 500 server error.)

Like this?

php_value include_path "whatever"

Yep.

If it doesn't work, then a vague part of my memory says that Apaches
AllowOverride directive might be the problem. Unfortunately I don't
remember the minimal setting needed for php_value and such to work. You
would need to contact the admins to have it changed.

I do not know what the issue is, but my host admin says it is not
possible with Php5.1 (?).

>
>2. How much security is really gained by moving sensitive include
files out of the site path (my include files all use the .php
extension)? Should I even be that concerned about this capability?

The only potential risk I can see is if the admins accidently disable
PHP processing, e.g. while updating some configuration files. So I'd say
it depends on how competent and alert the admins are. Still, even with
good admins, I'd better be safe than sorry.

That's the way I feel, too.

>
>3. Would I gain the same security if I changed my current include
files (which I would have to put back into the public site path) to do
nothing but set include_path outside the public site and then include
a new, secondary file which actually contains the sensitive data?

As far as I can tell, it would give you almost the same security. Again
the only potential problem I can see is accidently disabling PHP which
you let your users see the filenames you're including. Then they'd have
a more accurate idea of where to look, in the non public parts of the
server.

That's how I see it, but I want to be sure I'm not missing something. It
seems like the easiest "fix."

But at least now they'd have to somehow get local access, as
well as overriding the permissions that prevent users from peeking at
each others files (.. you do have permissions set like that, right?).

I've left most directory/file attributes at defaults, so you've prompted
me to play around and see if I can set these important folders to 700.
Everything still seems to still work, so thanks for that.

--
*************** **************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*************** **************

Aug 8 '06 #3

Similar topics

1889

how to set the include_path

by: Ramprasad A Padmanabhan | last post by:

I know it is a dummies question, But I am not able to find it on the php manual. Can anyone tell me How to set the include_path in php thanks Ram

PHP

3512

include_path and doc_root

by: Paul | last post by:

Dear all, I have a website hosted on Apache, where phpinfo gives DOCUMENT_ROOT as /home/mysite/public_html, and include_path as ..:/usr/lib/php:/usr/local/lib/php; I have no control over these. For development, work, however, I use IIS, but here I do have access to php.ini file. Basically I'm after a way to tweak (fudge) my local configuration such that I can use include("/home/mysite/public_html/includes/public.php"); (for

PHP

1913

to stupid to see the mistake - include_path don't work

by: mirko | last post by:

Hello, I have a problem with my include_path and I don't know why... Can anybody see the mistake? my configuration: PHP Version 4.3.11 System: Windows NT 5.0 build 2195

PHP

6375

htaccess and include_path

by: webguynow | last post by:

I recently read a forum posting on codewalkers.com regarding PEAR on a shared host and the poster, mentioned 3 methods to assign an include_path using htaccess. ( Only the 2nd I'm familiar with - so the 1st and 3rd could use some explaining ) you can use .htaccess files to overwrite php's include_path for your site.

PHP

6514

"error_reporting" setting not being recognized in my php.ini file

by: laredotornado | last post by:

Hi, I'm using PHP 4.4.4 on Apache 2 on Fedora Core 5. PHP was installed using Apache's apxs and the php library was installed to /usr/local/php. However, when I set my "error_reporting" setting to be "E_ALL", notices are still not getting reported. The perms on my file are 664, with owner root and group root. The php.ini file is located at /usr/local/lib/php/php.ini. Any ideas why the setting does not seem to be having an effect? ...

PHP

1840

Error setting Server logon info for crystal reports

by: Lawrence 007 | last post by:

Hi, I get the following error when I try to connect to my server to run a crystal report: Object reference not set to an instance of an object The code works fine without the parameter, but I don't know why it is not working with the parameter added. rpt = New CrystalReport1() Dim reportPath As String = "C:\Crystal Report\Crystalreport1.rpt"

.NET Framework

2617

include_path related issue

by: Schraalhans Keukenmeester | last post by:

I suspect the following problem IS hosting provider specific, but they haven't been able to help me out so far. Perhaps I am doing something wrong and someone is able to spot the issue... Here goes. The actual path of the root dir of my account with hosting provider (H.P.) is: /usr/local/psa/home/vhosts/mydomain.com/ The webroot is a subdir of the root: /usr/local/psa/home/vhosts/mydomain.com/httpdocs. Include files go in:

PHP

3819

Appending to the include_path

by: Gordon | last post by:

Is it possible in, say, a .htaccess file, to append additional paths to the php include_path without knowing what the value of include_path is beforehand? I want to add an absolute path to a directory and it's subdirectories from a .htaccess file, but I don't want to have to encode the entire current value of it and append my own path as that would mean having to change it every time it changes in php.ini or the code is deployed on a...

PHP

4352

how to put class.phpmailer.php in php.ini include_path

by: mukeshrasm | last post by:

Hi! I want to use phpmailer class to send mail using smtp.I have downloaded the phpmailer and then i followed it's README file where it is mentioned that "Copy class.phpmailer.php into your php.ini include_path. If you are using the SMTP mailer then place class.smtp.php in your path as well", but I don't know where to paste the class.phpmailer.php into my php.ini include_path. In my php.ini file the include path is commented and it is like ...

PHP

9734

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

9607

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

10665

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

10420

The easy way to turn off automatic updates for Windows 10/11

by: Hystou | last post by:

Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...

Windows Server

7681

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

6897

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

5568

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

4358

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

3881

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP