Thread: settings.php viewable by the world
View Single Post
  #4 (permalink)  
Old 07-20-2008, 08:51 AM
rspx0 rspx0 is offline
New Pligger
 		 
Join Date: Jul 2008
Posts: 8
Thanks: 1
Thanked 0 Times in 0 Posts
Hi -- thanks for the reply:

Quote:
Originally Posted by cmstheme View Post
1. *.php code can't be viewed in any browser, instead it shows the output of the code if there's any, shows any errors/warnings, or it will only a blank screen. Correct me if I'm wrong with this and please let me know if there's a way that I can view a PHP code in a browser.
If anybody attempts to view settings.php right now on my site (typing www.example.com/settings.php into their browser address bar), this is what they see:

Warning: include_once(mnmincludesettings_from_db.php) [function.include-once]: failed to open stream: No such file or directory in /home/.servername/username/example.com/settings.php on line 6

Warning: include_once() [function.include]: Failed opening 'mnmincludesettings_from_db.php' for inclusion (include_path='.:/usr/local/php5/lib/php:/usr/local/lib/php') in /home/.servername/username/example.com/settings.php on line 6

I've removed any personally identifying material in the path but included is the name of DreamHost's server, then my DreamHost username, and then the name of the site (because DreamHost generally install to a directory within /home named after the domain URL).

Quote:
2. If they knew the path where it's installed, it's only the path. They will not know the login credentials except for the username.
Well, I might be unnecessarily concerned, but that's more than I want them to know!

Quote:
The username is known because it gets from the domain name. For example, if I have a domain that is example.com, for sure the username is "example" because it did not exceed 8 chars.
I'm not entirely sure what you mean here, but I don't think what you say is the case for DreamHost shared hosting accounts.

Quote:
3. You can set permission to each files under your account even if it's a shared account.
Yes, but it makes no difference. Right now the permissions of settings.php is -rw-------. It's still viewable by the world. It's owned by my username. The group is something obscure (letters+numbers) and I assume relates to how DreamHost handle shared hosting. The site works fine with this permission setting on the file, btw.

Quote:
4. The warning messages is by default TURNED ON.
So how do I turn it off? I've googled various htaccess rules for turning off PHP errors and none seem to work (including what's been posted here by somebody else). I don't think what I'm seeing is a PHP error.
Reply With Quote