Config.inc.php and password security?

[Eric Chadwick]

Is it possible (or even adisable) to move the sql username and password out of the config.inc.php and into a more secure folder on the server? I wonder if it could be a security risk, since the PHP is in fact plain text, unencrypted?

I just moved to BlueHost, where I was pointed to this article about PHP security:
http://helpdesk.bluehost.com/kb/index.php?x=&mod_id=2&id=319

Thanks!

[Eric Chadwick]

Forgot to mention, I found this post in a search...
http://forum.coppermine-gallery.net/index.php?topic=362.msg1864#msg1864

It is more than four years old, so perhaps this potential security hole has been addressed since then?

[Nibbler]

You can move the file outside the webroot if you want. Just remember to update include/init.inc.php with the new path. Having the file there is standard for web scripts like Coppermine, the risk is small.

[Eric Chadwick]

OK, thanks!

[Wolfseye]

Asking because I am new to Coppermine, how would the changes would look like if the paths would be the following:

Code Select Expand


http://www.mydomain.com/gallery (URL)


Code Select Expand


/home/mydomainID/public_html/gallery


If I would move the config out to even before /public_html, what would I have to change in the init.inc.php ?
I would appreciate any help.
Thank you.

Wolfseye

[Nibbler]

Code Select Expand


// Include config and functions files
if(file_exists('include/config.inc.php')){
                ob_start();
                require_once 'include/config.inc.php';
                ob_clean();
} else {


Change path there (2 times). Preferably using something like ../../include/config.inc.php to be more portable.