Another approach is to extract the sensitive portions of your code and place them in an include file that resides outside your document root path. i.e. /home/httpd/php-inc/myincludes.php /home/httpd/html/mysite/mypage.php Where mypage.php has the statement require_once("myincludes.php"); You can add the include path via php.ini or a variety of other methods. That way no browser can reach it. --Phil M. > From: Vaughn Treude > Organization: Nakota Software, Inc. > To: > Subject: dumb PHP question > Date: Mon, 8 Nov 2004 07:20:37 -0700 > Reply-To: plug-discuss@lists.plug.phoenix.az.us > > Hello all: > I know there are a lot of PHP gurus on this list, so hopefully it's not too > off-topic. > I'm a newbie to PHP and I'm struggling with a login script for my > organization's website. I'm using an example script I got off the Web > somewhere. It uses MySQL through the "PEAR" database driver. Here's the > code snippet for the connection code in db_connect.php: > > --------------------------- > > file://require the PEAR::DB classes. > > require_once 'DB.php'; > > > $db_engine = 'mysql'; > $db_user = 'XXXX'; > $db_pass = 'YYYYYYYY'; > $db_host = 'ieeepacn.com'; > $db_name = 'ZZZZZZZ'; > > $datasource = $db_engine.'://'. > $db_user.':'. > $db_pass.'@'. > $db_host.'/'. > $db_name; > > > $db_object = DB::connect($datasource, TRUE); > > ------------------------ > > This works, but it occurs to me: how can this thing possibly be secure? The > password's there in clear text. A person would only need read access to get > it. And if the PHP file's not globally readable, the login fails. Is there > some factor here I'm missing such that it's more protected than I think? Or > is there a better way to approach this? > > Thanks! > Vaughn --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss