setting include_path on shared server

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
My shared host used to have Php configured such that I could place a  
php.ini file into any directory on my site and that was the php.ini file  
that the Php cgi would use when it ran scripts.

Since upgrading to Php5.1 that is no longer possible (not allowed in  
Php5.1 (?) ).

Anyway, ... this was a very handy way for me to set the include path so  
that I could keep files with sensitive data (e.g., database usernames,  
passwords) out of the site's public path.

My hosting service has actually rolled back to Php5.0 so that I could  
continue doing as I had been ... with the caveat that they will  
ultimately have to go with 5.1.

So, I have a set of questions.

1.  Is there another way that I can set the include path globally for my  
site?  (Adding them to htaccess throws a 500 server error.)

2. How much security is really gained by moving sensitive include files  
out of the site path (my include files all use the .php extension)?  
Should I even be that concerned about this capability?

3.  Would I gain the same security if I changed my current include files  
(which I would have to put back into the public site path) to do nothing  
but set include_path outside the public site and then include a new,  
secondary file which actually contains the sensitive data?

4.  Does anyone know why I *can* use local php.ini files in 5.01 and not  
in 5.1?

 Chuck Anderson • Boulder, CO

Re: setting include_path on shared server

On 2006-08-07, Chuck Anderson wrote:
Quoted text here. Click to load it

Like this?

php_value include_path "whatever"

If it doesn't work, then a vague part of my memory says that Apaches
AllowOverride directive might be the problem. Unfortunately I don't
remember the minimal setting needed for php_value and such to work. You
would need to contact the admins to have it changed.

Quoted text here. Click to load it

The only potential risk I can see is if the admins accidently disable
PHP processing, e.g. while updating some configuration files. So I'd say
it depends on how competent and alert the admins are. Still, even with
good admins, I'd better be safe than sorry.

Quoted text here. Click to load it

As far as I can tell, it would give you almost the same security. Again
the only potential problem I can see is accidently disabling PHP which
you let your users see the filenames you're including. Then they'd have
a more accurate idea of where to look, in the non public parts of the
server. But at least now they'd have to somehow get local access, as
well as overriding the permissions that prevent users from peeking at
each others files (.. you do have permissions set like that, right?).

    `^'                 Sanity is an illusion

Re: setting include_path on shared server

Jesper H. wrote:
Quoted text here. Click to load it
I do not know what the issue is, but my host admin says it is not  
possible with Php5.1 (?).
Quoted text here. Click to load it
That's the way I feel, too.
Quoted text here. Click to load it
That's how I see it, but I want to be sure I'm not missing something. It  
seems like the easiest "fix."
Quoted text here. Click to load it
I've left most directory/file attributes at defaults, so you've prompted  
me to play around and see if I can set these important folders to 700.  
Everything still seems to still work, so thanks for that.

 Chuck Anderson • Boulder, CO

Site Timeline