Recipe 18.6. Keeping Passwords Out of Your Site Files18.6.1. ProblemYou need 18.6.2. SolutionStore the password in an environment variable in a file that the web server loads when starting up. Then, just reference the environment variable in your code: <?php 18.6.3. DiscussionWhile this technique removes passwords from the source code of your pages, it makes them available in other places that need to be protected. Most importantly, make sure that there are no publicly viewable pages that call phpinfo( ). Because Next, especially if you are using a shared host, make sure the environment variables are set in such a way that they are only available to your virtual host, not to all users. With Apache, you can do this by setting the variables in a separate file from the main configuration file: SetEnv DB_USER "susannah" Inside the <VirtualHost> directive for the site in the main configuration file (httpd.conf), Include "/usr/local/apache/database-passwords" Make sure that this separate file containing the password (e.g., /usr/local/apache/database-passwords) is not readable by any user other than the one that controls the appropriate virtual host. When Apache starts up and is reading in configuration files, it's usually running as root, so it is able to read the included file. A child process that handles requests typically runs as an unprivileged user, so rogue scripts cannot read the protected file. 18.6.4. See AlsoDocumentation on Apache's Include directive at http://httpd.apache.org/docs/mod/core.html#include. |
Monday, January 11, 2010
Recipe 18.6. Keeping Passwords Out of Your Site Files
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment