Re: Deny Access To configuration file using php scripts

Hi,

> Hello i have a web server and i have a major problem
> some of my users are trying to find my pass for my mysql database.

My first suggestion would be to warn these users that this is not 
allowed and ban them from the system if they persist.

> the first thing they do is a
> system ('cat /var/www/path to config file');
> inside a php script


There are a couple of things you can try, First you can use apache 
directives to deny access to the file. To do that add the following text 
to the httpd.conf file:

<Files ~ "\.inc$">
  Order allow, deny
  Deny from all
</Files>

This would prevent all files with the .inc extension from being viewed 
via the web.

The second thing I would suggest is to disable access to the system() 
function unless you really really need it. You can do that in the 
php.ini file by using the disable_functions directive. It allows you to 
define a comma-delimited list of functions to be disabled within PHP. 
(http://www.onlamp.com/pub/a/php/2001/02/15/php_admin.html)

Hope this helps.

- Suramya

--
----------------------------------------------------------
Some days you're the dog; some days you're the hydrant.
----------------------------------------------------------
Name : Suramya Tomar
Homepage URL: http://www.suramya.com
-------------------------------------------------

************************************************************
Disclaimer:
Any errors in spelling, tact, or fact are transmission errors.
************************************************************