Config.inc.php and password security?

Eric Chadwick · January 27, 2008, 07:43:05 PM

Is it possible (or even adisable) to move the sql username and password out of the config.inc.php and into a more secure folder on the server? I wonder if it could be a security risk, since the PHP is in fact plain text, unencrypted?

I just moved to BlueHost, where I was pointed to this article about PHP security:
http://helpdesk.bluehost.com/kb/index.php?x=&mod_id=2&id=319

Thanks!

Eric Chadwick · January 27, 2008, 07:46:07 PM

Forgot to mention, I found this post in a search...
http://forum.coppermine-gallery.net/index.php?topic=362.msg1864#msg1864

It is more than four years old, so perhaps this potential security hole has been addressed since then?

Nibbler · January 27, 2008, 08:02:52 PM

You can move the file outside the webroot if you want. Just remember to update include/init.inc.php with the new path. Having the file there is standard for web scripts like Coppermine, the risk is small.

Eric Chadwick · January 28, 2008, 12:02:39 AM

OK, thanks!

Wolfseye · March 25, 2008, 05:14:15 PM

Asking because I am new to Coppermine, how would the changes would look like if the paths would be the following:

Code Select


http://www.mydomain.com/gallery (URL)

Code Select


/home/mydomainID/public_html/gallery

If I would move the config out to even before /public_html, what would I have to change in the init.inc.php ?
I would appreciate any help.

Thank you.

Wolfseye

Nibbler · March 25, 2008, 05:25:31 PM

Code Select


// Include config and functions files
if(file_exists('include/config.inc.php')){
                ob_start();
                require_once 'include/config.inc.php';
                ob_clean();
} else {

Change path there (2 times). Preferably using something like ../../include/config.inc.php to be more portable.

coppermine-gallery.com/forum

News:

Config.inc.php and password security?

Eric Chadwick

Eric Chadwick

Nibbler

Eric Chadwick

Wolfseye

Nibbler