Hi,
There are a couple of things you can try, First you can use apache
directives to deny access to the file. To do that add the
following text
to the httpd.conf file:
<Files ~ "\.inc$">
Order allow, deny
Deny from all
</Files>
While that may stop the web-server from server the files up, it would
not stop a php script from accessing the files.
I'm not sure that this can easily be solved. If the file needs to be
readable by apache, then it can also be read by any other process
running as the same user as apache, which would be every php script.
If you are using virtual hosts, then you may be able to solve the
problem using apaches per-user virtual-host configuration. This allows
scripts to run as someone other than 'nobody' (or whoever apache is
running as).
You could also create the config file with a .php extension so even when
the user is able to include the file it would be interpreted by PHP and
it would only show a blank screen to the user over the web.
The second thing I would suggest is to disable access to the system()
They could also use functions like fopen(), require(), include(), etc to
read the files.
True, but if the file is intepretted by PHP then it would be that big a
problem.
Actually instead of trying to find a tech solution to this, I would just
ban the guilty users from the server. No access = No hack attempts.
- Suramya
--
----------------------------------------------------------
Some days you're the dog; some days you're the hydrant.
----------------------------------------------------------
Name : Suramya Tomar
Homepage URL: http://www.suramya.com
-------------------------------------------------
************************************************************
Disclaimer:
Any errors in spelling, tact, or fact are transmission errors.
************************************************************
