I use php with mysql_connect to access my database. The problem is that I must HARDCODE the mysql password in the php source file. This is unsafe!
Not just any person can see my php source. However, my web host is <!-- w --><a class="postlink" href="http://www.addr.com">www.addr.com</a><!-- w --> and they put hundreds of users together on one server. Other people who share my server DO have read access to my php source (and I have read access the theirs!!).
I asked addr about this and they say I can do "chmod 751" on all my directories so that people cannot know the filenames. However, people can figure out the filenames easily by looking at my URL.
I can put php code into a special hidden place (not in public_html) such as /usr/home/john/secret/uxyqnw184736.inc and hope the hacker cannot guess the filename. But this will not work because the hacker can look at my php file and see the "include" or "require" to find out the secret name. I must make the php source and any include source be "public read" or else apache will not be able to execute it. (I guess apache runs in the "nobody" user profile).
Does anyone have any ideas?
Not just any person can see my php source. However, my web host is <!-- w --><a class="postlink" href="http://www.addr.com">www.addr.com</a><!-- w --> and they put hundreds of users together on one server. Other people who share my server DO have read access to my php source (and I have read access the theirs!!).
I asked addr about this and they say I can do "chmod 751" on all my directories so that people cannot know the filenames. However, people can figure out the filenames easily by looking at my URL.
I can put php code into a special hidden place (not in public_html) such as /usr/home/john/secret/uxyqnw184736.inc and hope the hacker cannot guess the filename. But this will not work because the hacker can look at my php file and see the "include" or "require" to find out the secret name. I must make the php source and any include source be "public read" or else apache will not be able to execute it. (I guess apache runs in the "nobody" user profile).
Does anyone have any ideas?