From: "MOD" <br014c1155at_private> > PHP-Survey is an online survey creation and management system written in > PHP. It uses a MySQL database on backend for all data handling. > Global.inc holds the database information, and settings for the survey's > interface. Global.inc on default settings is not interpreted by PHP hence > any user can make an HTTP request for global.inc and will be able to view > the source code, hence the database password, username, localhost is > revealed, and also superuser information for the administration of the poll > survey. A solution might be to rename global.inc to global.inc.php. A better advice would probably be to make .inc files inaccessible for webbrowsers. This is generally a good idea, as to the best of my knowledge no web app ever sends .inc files for anything. On Apache, this could be done with something like this: <Files *.inc> Order allow,deny Deny from all </Files> Jens Knoell
This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 16:17:44 PDT