[eluser]Andrew Hull[/eluser]
[quote author="Yorick Peterse" date="1264225918"][quote author="Andrew Hull" date="1264188623"][quote author="Yorick Peterse" date="1264039609"][quote author="GnomBrother" date="1264007875"]Yes you can do so, by including in database.php as well as you have to include database defined constants in your every controller file which communicates with database. It could be a total mess and many includes just negatively effect site performance. Is it possible to move config folder outside the www folder, if yes, what are the best ways to implement this...[/quote]
No it's not. It's simply impossible to download a PHP file's source code unless you have access to the FTP server.[/quote]
... Except of course when the web server serves it up the php content as text by mistake.... either due to a bug or mis-configuration of the web server, or an exploit being used against the server. (See here for an example
http://xforce.iss.net/xforce/xfdb/7735)
In other words, its not "impossible", just highly unlikely, and therefore you should always assume it is possible, and take appropriate measures to avoid the rather obvious consequences.[/quote]
Highly, highly unlikely. Even a default configuration of Apache, Lighttpd or Nginx prevents PHP from being served as static text, unless you're configuring your server rambo style.
If your server is configured properly it's perfectly save to store passwords in .PHP files.[/quote]
I agree, highly unlikely. Why not put your bank account details in there too, and you credit card pin. After all what right minded hacker would ever think to look for a clear text password in a clear text file.
Take a look here for another example of why keeping passwords in plain text is always a VERY bad idea.
http://blog.moertel.com/articles/2006/12...a-database
and here for more info
http://en.wikipedia.org/wiki/Password_cracking
By the way I represent the late Mr Mbongo who sadly passed away recently and left $1.8 trillion in his Nigerian bank account, all I need from you in order to pass on your share is your Bank account number and PIN.
Thanks for your time. The cheque is in the Post.
BTW Rambo doesn't have time to set up my web server, he's too busy setting up servers for major high street banks, and protecting high ranking officials laptops from prying eyes.
On a serious note though, learn how to do things securely from the outset, it worth the trouble you don't get into in the end. You wouldn't leave your car keys on you doormat, so why would you leave the keys to your electronic kingdom just lying about any old where?
The cyber world is full of shoddy security already, so why add to the problem? Just Google "2600" to see who is out there just itching to "test" your security. Its enough to make you whistle (at 2.6kHz of course).
One final point Yorick what version of nginx are you using
http://www.securityfocus.com/bid/36384
Ohhh you should be OK, perhaps, maybe, 'cos you are on version 0.7.64 .... or are you?