Another script I use got hacked the other day because the config file and pass file could be downloaded via http .. Even if you chmod files correctly, they can be viewed by httpd if a user knows they exist.
Use a protected cgi bin for data files. Second, create a file called .htaccess and put this in there
order deny,allow
deny from all
</Files>
You can do an entry for each file you want to protect that way. This works on apache servers. Despite the fact that these passwords are crypted, there are TONS of decrypt programs avaialable. I shoul know, my site was hacked this way.
Your scripts will still be able to access the files. Noone will be able to get to them from the web server directly though! And thats the point!
------------------
The Crowe crowe@charter.net
www.lit.org Links Engine for Writing on the net!
Use a protected cgi bin for data files. Second, create a file called .htaccess and put this in there
Code:
<Files "default.pass"> order deny,allow
deny from all
</Files>
You can do an entry for each file you want to protect that way. This works on apache servers. Despite the fact that these passwords are crypted, there are TONS of decrypt programs avaialable. I shoul know, my site was hacked this way.
Your scripts will still be able to access the files. Noone will be able to get to them from the web server directly though! And thats the point!
------------------
The Crowe crowe@charter.net
www.lit.org Links Engine for Writing on the net!