![[Home]](/tavi.png)
Source:
Connecting to a database requires that passwords be included in the script at some point. Other scripts you write may include sensitive information. This information may be exposed if you do not wrap your PHP scripts.
Protecting your scripts from prying eyes is called "wrapping." When you wrap a script, it is called by another script that hides your script and performs a number of security checks to ensure only authorized use is made of it.
How do other users see the passwords?
There are two ways:
If you place the passwords in a file that is readable by other users in your group, then they can browse to your directory using FTP or Telnet and read them directly. Some hosts prevent this behavior by chrooting (making /usr/home/username equal to / when you login; chroot is Unix for "change root") user logins. However, many of them do not plug a similar hole that can allow other users on your server to access your files if they are readable by the web server. In these cases, the other users can simply write a script (that is run as userid "nobody") that can access any files on the server that are readable by the web server.
Apart from "wrapping", there are some basic precautions that should be taken:
Wherever possible, keep files in a folder that is "outside" your web server root directory. For example....
Check the file ownership. If your web server is running as the users "apache" and group "apache" then change your *.php files ownership to that of your webserver (Example: execute: chmod -R apache:apache * in the directory where your index.php resides)
Edit your web server config file to password protect your administration (and similar) scripts. For example....
When you did a installation of tavi within your public available directory, also make sure you protect actions/admin.php against those 'I know the tavi-system' hackers.
Return to the TaviDocumentation.
