1
pmhoran
Securing mainfile.php & database connection info ...
  • 2006/3/11 14:27

  • pmhoran

  • Not too shy to talk

  • Posts: 115

  • Since: 2003/2/21


At one time I knew how to move the mainfile out of the root directory. But now I cannot remember.

Could someone please share with me how this is accomplished ... again? I just spent an hour searching for the answer I am sure I got here last time ... with no luck.

Currently ... I have a statement in the "new mainfile.php" in the root

include "../mainfile.php";
?>


It works to log in ... but when I go the Admin Menu & try to do anything ... I get a page full of errors.

So I am obviously forgetting something.

Any & all assistance is appreciated.
Thanks
Peter

2
m0nty
Re: Securing mainfile.php & database connection info ...
  • 2006/3/11 15:07

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


can't see the point myself.. well i can see it, but i don't find it necessary if the server is configured properly..

especially if u set MySQL to only accept connections from localhost or specific IP only.. it would make no difference at all then if some1 knew ur db username n password cos MySQL would refuse the connection.

setting server configs correctly far outweighs anything else..

3
pmhoran
Re: Securing mainfile.php & database connection info ...
  • 2006/3/11 15:21

  • pmhoran

  • Not too shy to talk

  • Posts: 115

  • Since: 2003/2/21


I wasn't exactly paranoid about it until a week ago ... as I mentioned in another post.

Not sure if I was hacked or what ... but somehow just about my entire database on one of my sites got deleted. Only parts that were left were the ones of an AMS module & the Avatars ... everything else was gone ... vanished.

Since I am the only one who should have access to it ... I figure either the web host somehow did it (but I can't really see him doing that). OR ... someone got the info and somehow deleted it.

I know from nothing about php or MySQL or what a hacker can and can't do with a bit of "talent".

Just figured by moving the mainfile & database connection info out of the root ... then it should provide me with one more layer of security. IF I can get it to work

Thanks
Peter

4
Dave_L
Re: Securing mainfile.php & database connection info ...
  • 2006/3/11 18:22

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Instead of a relative path, use an absolute path:


include '/path/to/the/real/mainfile.php' ?>

5
iHackCode
Re: Securing mainfile.php & database connection info ...

And Here Is A Helpful Link.. With Tons Of Helpful Comments.

xoops-tips.com Move MySQL username/password out of mainfile.php
CBB / LatestNews / Publisher / XM-Spotlight

(ノ◕ヮ◕)ノ*:・゚✧

6
pmhoran
Re: Securing mainfile.php & database connection info ...
  • 2006/3/11 18:52

  • pmhoran

  • Not too shy to talk

  • Posts: 115

  • Since: 2003/2/21


Thank you both VERY much

Dave_L - your solution sounds familiar. Should have thought of that myself. Guess I am having a "daaaaah" day.

Bandit-X - thanks for reminding me of that post & the actual Xoops-Tips website. I keep forgetting about it. But I have it bookmarked ... again.

Peter

7
peterr
Re: Securing mainfile.php & database connection info ...
  • 2006/3/13 1:08

  • peterr

  • Just can't stay away

  • Posts: 518

  • Since: 2004/8/5 9


If you really want to change _where_ mainfile.php resides, there are no less than 28 files to change, .... really a total waste of time. :)

All I do is CMOD it to 444, and the MySQL connection is localhost, and as someone else pointed out, there can be no 'external' (direct) connection made when it is setup like that. Of course a fair bit might depend on the technical expertise of who is looking after the server, and how 'tight' security is, the one I use has only had one hack, a user abused the shell/SSH privs, so now SSH is not available.

There could be many reasons for the db being 'hacked' or whatever happened, possible sql injection attacks, or a person was able to login (never disclose the 'webmaster' login and use some very cryptic password, not one that is easy to guess). Your web server logs will of course show you of any logins, or where sql code was being attempted to be used in some manner.

P
NO to the Microsoft Office format as an ISO standard.
Sign the petition

Login

Who's Online

154 user(s) are online (99 user(s) are browsing Support Forums)


Members: 0


Guests: 154


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Dec 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits