Hi,
I just password-protected an intranet site by including a password
authentication script in each page of a private section. The script
checks the login against the mySQL database. Appropriate file
permissions have been set up on the private directory.
My concern is now about protecting the Mysql password. Let's assume I
use Apache to protect the access to this password (<files></files> or
SetEnv in httpd.conf).
In my intranet directory, I have a public folder where I let users put
their html/php files to build their own pages.
How can I prevent a user from creating a php file like this :
$conn = mysql_connect($_SERVER['SQL_DB'],$_SERVER['SQL_USER'],$_SERVER['SQL_PASS'])
or die(mysql_error());
$sql = 'update user set private_access= '1' where username =
'myself'';
$result = mysql_query($sql) or die(mysql_error());
In that way, without knowing the Mysql pwd, any user can finally have
access to the private section.
Can anyone tell me how I can manage this ?
Thanks !