MySQL passwords world readable in PHP files (a solution)

The problem have been discussed before. A new solution have also been presented in that thread.

I think I have a partial solution to the problem. Users can still access other users files, but you won't need to hard-code any MySQL passwords in your files. The reason I'm presenting my solution here is that I think it is very easy to implement, no major configuration changes needed, and there will be no performance hits.

The solution is to use PHP's configurations directives to set a default MySQL username and password for each user, by placeing the directives in the users VirtualHost entry in httpd.conf.

Your httpd.conf must not be readable by the Apache user (or any user for that matter, except root.)

This way, of course, you will not be able to give your users multiple MySQL user accounts, but you can always give them multiple databases with the same user.

It is not a complete solution, but it solves a very seriouse problem in most shared hosting configurations. Besides, there is no real reason to refuse this solution, is there? MySQL passwords world readable in PHP files (a solution)

So what do you think?

 

 

 

 

Top