I was told to put my php script under /www directory not the cgi-bin directory. Isn't this expose my script. I have info for login to MySQL database in the script, I would rather hide this script somewhere so in case something goes wrong the public won't see my code. Or maybe I should just change my the previlege from rw to x only? :umm:

Hello Mary,

PHP files must be placed within the /www directory in order for the server to parse them. There is no other way for the mod_php Apache module to process PHP pages.

Usually, PHP scripts that access MySQL do require that the password be placed somewhere within the script or one of its include files. It is possible to put the include files outside of the /www directory, as suggested in this post:
http://www.aota.net/forums/showthread.php?postid=111758#post111758

Overall, you will want to make sure that the scripts you are running on your site take all of the usual security precautions. If someone is able to compromise the site via the scripts, it may not make any difference where you have stored such information, if they are able to gain full access to your site.

PHP files need to have permissions 644 in order to be able to be parsed by the web server.

Thank you for your quick response :smile:

MaryC

I've always understood that, as long as the script's filename has an extension that the apache module understands as being a PHP script (e.g., php, php3, php4, phtml, etc.), then the server will "interpret" the script (the desired behavior) rather than display the script code.

That way, the script itself is not "exposed," thus protecting whatever lines of code are in the script file. The user never sees the code, only the result of the code.

Right?

All your PHP scripts should go into your www directory, or a subdirectory of your www directory, like Sheila said. The file should be readable by the web server.

As Rick suggested, the Apache web server is set up to treat files with the file extensions .php, .php3 and .php4 as special. Instead of outputting the file directly, like it would with a .html file, the web server will send the file to the PHP module. This is similar to how all files in the cgi-bin directory are treated.
After the script has been parsed and executed by the PHP module, it will send whatever the output of the script is back to Apache, which will then send it to the user's web browser.

If you feel uneasy about placing passwords in a script that is accessible from the web, you could separate that section from your script and put the login credentials in a file outside the www tree, for example in /big/dom/xyourdomain/. Then in your script simply include the file, using PHP's include() command. Anything in the directory /big/dom/xyourdomain/ is inaccessible from the web. Additionally FutureQuest, unlike some web hosts, has measures in place that prevent any other user on the same server accessing your files.
This has the added bonus of being able to include the file in other scripts as well and in case you change the password, you only have to change one file.

Arthur

Note that you can have PHP CGI scripts:#!/usr/local/bin/php-cli
<?php
...
?> Just make sure it has executable priviliges (755). Then you can place it in cgi-bin with any extension, or under www/ with a .cgi extension.

But splitting out the MySQL auth info and placing it outside www/ with a require_once in the main script is a good solution. Though in the FQ environment someone shouldn't be able to access the MySQL server unless they're in your account, and if that's the case, then they can have your auth info anyway...