NYCPHP Meetup

[Aaron Fischer]

OK, so I made the request to my IT department to implement the db 
credentials solution recommended in Essential PHP Security and the PHP 
Cookbook.  (Creating the db.conf and editing httpd.conf in order to 
create $_SERVER vars which contain the uname,pwd info.)

They sent an email back and I'm not sure how to respond due to my lack 
of Apache server experience.  Can folks give suggestions for a response?

They say:
In order for apache to be able to read the variables, the apache account 
will need access to it.  The problem with this is the most likely 
account to be compromised on websvr is the apache account.  At this 
point you have security thru obscurity - the person won't know where to 
look for the file, which makes it less likely to stumble upon it and 
figure out its importance.

Another possible solution would be to run a separate instance of apache 
to handle https, or possibly your own area - but we would have to look 
into the viability of that, and it won't be a short term solution (esp. 
with the August panic setting in).

You don't have your own VirtualHost area.  It might be worth trying in 
your own <Directory> area to see if that fulfills your needs.  Another 
way might be to put it in an .htaccess file - .htaccess files aren't 
just for password protecting areas!

Thanks for any suggestions.

-Aaron