[phpesp-dev] insecure phpesp.ini

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Initially my feeling was that phpESP should be installed
somewhere outside of the web accessible part of your
filesystem.  This would ensure that phpESP.ini would not be
compromised.  However it seems many people can not
understand how to do this, and many can not do so because
they have to deal with open_basedir restrictions from their
hosting service.  In light of this, I am willing to change
the extension.  The change would be to rename phpESP.ini to
phpESP.ini.php.  I would like the developers to vote on
this (-1/0/+1).

This also brings up an important point about mysql
security.  If you are concerned about your database
passwords, then I suggest you read the mysql manual on
permissions.  The mysql security model allows restricting
access based on IP addresses, usename/password, database,
and actions.  My mysql server uses phpesp with the default
password (phpesp), and it doesn't matter that I tell you
that because the restrictions on hostnames, databases, and
permissions on that account prevent anyone from doing
damage.  Anyone administering a mysql server should RTFM.

-James

---------- Forwarded message ----------
Date: Fri, 17 Jan 2003 16:45:39 +0100
From: fl...@gm...
Subject: Re: [phpesp-dev] themes when embedding

hi and happy new year!

i have a really unnice message: my server let open port 8080 an with that
and misconfiguration all websurfer can look in my phpesp ini wich is bloody
uncool!
so there is the need to change is to ext.php! i think... when php crashes
then it´s the only point to have a chance to look in a php file otherwise
no!
is there any chance to do is or do i have to change it by myself?.......
(bad on upgardes)

kind regards flobee