PDA

View Full Version : Is something wrong with my question



charlesp
01-30-2008, 12:47 PM
Is something wrong with my question? It is a simple question but I get no replies. Am I doing something wrong?


I have a configuration file for connecting to a database above the public_html folder. In the file that needs the configuration file I reference the config file with an absolute url such as '/home/XXXXX/includes/lfile name.' Is this insecure and if it is what is the correct way to call a file from above the public_html directory? The file using the configuration file is in a subfolder below public_html, so '../includes/config.php' wont work.

felgall
01-30-2008, 01:21 PM
Try wording the question differently. From reading the question I am not sure what it is that you are asking.

charlesp
01-30-2008, 02:26 PM
I have a php configuration file (file 1) for connecting to a database above the public_html folder - "/home/bhuser/includes/config.inc.php." I have another file in a subfolder in the public_html folder(file 2).

File 2 needs the config file (file 1) to connect to the database such as:
include('../includes/config.inc.php') but this wont work because file 1 is above the public_html folder. So I have in file 2 "include('/home/bhuser/includes/config.inc.php');" without the double quotes.

My question is: Is the way I have it now - include('/home/bhuser/includes/config.inc.php'); a security risk and if it is what would be the proper way to reference this file as an include and keep the config.inc.php file above the public_html folder?

I hope this makes more sense.:o

felgall
01-30-2008, 03:54 PM
I think you can set the include path via the php.ini file. Presumably anything in the path can be found as long as only the file name itself is specified in the include.

charlesp
01-30-2008, 06:06 PM
Thanks Stephen I'll look at the php.ini file. In the mean time is the way I have it not secure?

felgall
01-30-2008, 06:35 PM
The PHP can only be read by someone with direct access to the server unless PHP gets turned off on the server (which happened briefly when Apache was upgraded). Even then if the file you reference is above public_html then it can't be accessed from the web.

charlesp
01-30-2008, 07:08 PM
That's good news because the only iinclude_path I could find in php.ini is being used for something else.