473,721 Members | 1,820 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

setting include_path on shared server

My shared host used to have Php configured such that I could place a
php.ini file into any directory on my site and that was the php.ini file
that the Php cgi would use when it ran scripts.

Since upgrading to Php5.1 that is no longer possible (not allowed in
Php5.1 (?) ).

Anyway, ... this was a very handy way for me to set the include path so
that I could keep files with sensitive data (e.g., database usernames,
passwords) out of the site's public path.

My hosting service has actually rolled back to Php5.0 so that I could
continue doing as I had been ... with the caveat that they will
ultimately have to go with 5.1.

So, I have a set of questions.

1. Is there another way that I can set the include path globally for my
site? (Adding them to htaccess throws a 500 server error.)

2. How much security is really gained by moving sensitive include files
out of the site path (my include files all use the .php extension)?
Should I even be that concerned about this capability?

3. Would I gain the same security if I changed my current include files
(which I would have to put back into the public site path) to do nothing
but set include_path outside the public site and then include a new,
secondary file which actually contains the sensitive data?

4. Does anyone know why I *can* use local php.ini files in 5.01 and not
in 5.1?

--
*************** **************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*************** **************
Aug 7 '06 #1
2 2291
On 2006-08-07, Chuck Anderson wrote:
1. Is there another way that I can set the include path globally for
my site? (Adding them to htaccess throws a 500 server error.)
Like this?

php_value include_path "whatever"

If it doesn't work, then a vague part of my memory says that Apaches
AllowOverride directive might be the problem. Unfortunately I don't
remember the minimal setting needed for php_value and such to work. You
would need to contact the admins to have it changed.
2. How much security is really gained by moving sensitive include
files out of the site path (my include files all use the .php
extension)? Should I even be that concerned about this capability?
The only potential risk I can see is if the admins accidently disable
PHP processing, e.g. while updating some configuration files. So I'd say
it depends on how competent and alert the admins are. Still, even with
good admins, I'd better be safe than sorry.
3. Would I gain the same security if I changed my current include
files (which I would have to put back into the public site path) to do
nothing but set include_path outside the public site and then include
a new, secondary file which actually contains the sensitive data?
As far as I can tell, it would give you almost the same security. Again
the only potential problem I can see is accidently disabling PHP which
you let your users see the filenames you're including. Then they'd have
a more accurate idea of where to look, in the non public parts of the
server. But at least now they'd have to somehow get local access, as
well as overriding the permissions that prevent users from peeking at
each others files (.. you do have permissions set like that, right?).

--
|\_/| ,(Meow) Jesper H. <xy***********@ xyborx.dk>
(^.^)
`^' Sanity is an illusion
Aug 8 '06 #2
Jesper H. wrote:
On 2006-08-07, Chuck Anderson wrote:
>1. Is there another way that I can set the include path globally for
my site? (Adding them to htaccess throws a 500 server error.)

Like this?

php_value include_path "whatever"
Yep.
If it doesn't work, then a vague part of my memory says that Apaches
AllowOverride directive might be the problem. Unfortunately I don't
remember the minimal setting needed for php_value and such to work. You
would need to contact the admins to have it changed.
I do not know what the issue is, but my host admin says it is not
possible with Php5.1 (?).
>
>2. How much security is really gained by moving sensitive include
files out of the site path (my include files all use the .php
extension)? Should I even be that concerned about this capability?

The only potential risk I can see is if the admins accidently disable
PHP processing, e.g. while updating some configuration files. So I'd say
it depends on how competent and alert the admins are. Still, even with
good admins, I'd better be safe than sorry.
That's the way I feel, too.
>
>3. Would I gain the same security if I changed my current include
files (which I would have to put back into the public site path) to do
nothing but set include_path outside the public site and then include
a new, secondary file which actually contains the sensitive data?

As far as I can tell, it would give you almost the same security. Again
the only potential problem I can see is accidently disabling PHP which
you let your users see the filenames you're including. Then they'd have
a more accurate idea of where to look, in the non public parts of the
server.
That's how I see it, but I want to be sure I'm not missing something. It
seems like the easiest "fix."
But at least now they'd have to somehow get local access, as
well as overriding the permissions that prevent users from peeking at
each others files (.. you do have permissions set like that, right?).
I've left most directory/file attributes at defaults, so you've prompted
me to play around and see if I can set these important folders to 700.
Everything still seems to still work, so thanks for that.

--
*************** **************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
*************** **************
Aug 8 '06 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
1886
by: Ramprasad A Padmanabhan | last post by:
I know it is a dummies question, But I am not able to find it on the php manual. Can anyone tell me How to set the include_path in php thanks Ram
3
3509
by: Paul | last post by:
Dear all, I have a website hosted on Apache, where phpinfo gives DOCUMENT_ROOT as /home/mysite/public_html, and include_path as ..:/usr/lib/php:/usr/local/lib/php; I have no control over these. For development, work, however, I use IIS, but here I do have access to php.ini file. Basically I'm after a way to tweak (fudge) my local configuration such that I can use include("/home/mysite/public_html/includes/public.php"); (for
3
1910
by: mirko | last post by:
Hello, I have a problem with my include_path and I don't know why... Can anybody see the mistake? my configuration: PHP Version 4.3.11 System: Windows NT 5.0 build 2195
1
6370
by: webguynow | last post by:
I recently read a forum posting on codewalkers.com regarding PEAR on a shared host and the poster, mentioned 3 methods to assign an include_path using htaccess. ( Only the 2nd I'm familiar with - so the 1st and 3rd could use some explaining ) you can use .htaccess files to overwrite php's include_path for your site.
1
6500
by: laredotornado | last post by:
Hi, I'm using PHP 4.4.4 on Apache 2 on Fedora Core 5. PHP was installed using Apache's apxs and the php library was installed to /usr/local/php. However, when I set my "error_reporting" setting to be "E_ALL", notices are still not getting reported. The perms on my file are 664, with owner root and group root. The php.ini file is located at /usr/local/lib/php/php.ini. Any ideas why the setting does not seem to be having an effect? ...
1
1837
by: Lawrence 007 | last post by:
Hi, I get the following error when I try to connect to my server to run a crystal report: Object reference not set to an instance of an object The code works fine without the parameter, but I don't know why it is not working with the parameter added. rpt = New CrystalReport1() Dim reportPath As String = "C:\Crystal Report\Crystalreport1.rpt"
10
2610
by: Schraalhans Keukenmeester | last post by:
I suspect the following problem IS hosting provider specific, but they haven't been able to help me out so far. Perhaps I am doing something wrong and someone is able to spot the issue... Here goes. The actual path of the root dir of my account with hosting provider (H.P.) is: /usr/local/psa/home/vhosts/mydomain.com/ The webroot is a subdir of the root: /usr/local/psa/home/vhosts/mydomain.com/httpdocs. Include files go in:
4
3814
by: Gordon | last post by:
Is it possible in, say, a .htaccess file, to append additional paths to the php include_path without knowing what the value of include_path is beforehand? I want to add an absolute path to a directory and it's subdirectories from a .htaccess file, but I don't want to have to encode the entire current value of it and append my own path as that would mean having to change it every time it changes in php.ini or the code is deployed on a...
0
4349
by: mukeshrasm | last post by:
Hi! I want to use phpmailer class to send mail using smtp.I have downloaded the phpmailer and then i followed it's README file where it is mentioned that "Copy class.phpmailer.php into your php.ini include_path. If you are using the SMTP mailer then place class.smtp.php in your path as well", but I don't know where to paste the class.phpmailer.php into my php.ini include_path. In my php.ini file the include path is commented and it is like ...
0
8837
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8728
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9214
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
9130
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
1
6668
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5977
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4751
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3187
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2572
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.