It would be REALLY nice if you guys would take into account some of us have PHPLib installed and have the ability to put files outside of the web servers root. I hate putting passwords in any file that the web server has access too - very poor security even if the server should process the file.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Are conflicts with phplib and files outside the server root two separate issues, or flip sides of the same pancake?
You can easily install the entire phpwiki tarball outside the server root, then copy back the few files that need to be web accessible: index.php, the icons/images, and (for 1.3) the style sheets.
Then you need only ensure that php's include_path is set properly so that php can file the rest of the code. In phpwiki 1.3.x there is a line near the top of index.php (commented out, by default) which hints at how to do this:
ini_set('include_path', '.:/where/you/installed/phpwiki');
For 1.3.x you also may need to set DATA_PATH, and possible other miscellaneous defines in index.php.
Basically the same is possible for 1.2, though the details are different. (Which version of phpwiki are you working with?)
As for the troubles with phplib: I'm not very familiar with phplib. Could you explain what the problems are?
And as for publicly readable passwords, I share the same fears as you. On the other hand there are few fixes which offer any real solution. Whatever files contain the passwords have to be readable by whatever user/group apache runs as (barring cgi-wrappers). The phpwiki admin password could be hashed --- that would help a bit. If using an SQL backend, the sql access passwords can't be hashed --- if using a dbm-based backend, the dbm files have to be writable by the apache user. Unless you have a dedicated server, I don't see any real solutions.
Ideas?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I haven't gotten PHPWiki to run yet (see help post). Usually it is file naming conventions. Yes, I'm aware of the ability to move files out of the tree and I'll do that once I get it to run.
In regards to the password issue, I'll make a config file and put it out of the tree and "include()" it. That solves the problem.
Ken
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It would be REALLY nice if you guys would take into account some of us have PHPLib installed and have the ability to put files outside of the web servers root. I hate putting passwords in any file that the web server has access too - very poor security even if the server should process the file.
Are conflicts with phplib and files outside the server root two separate issues, or flip sides of the same pancake?
You can easily install the entire phpwiki tarball outside the server root, then copy back the few files that need to be web accessible: index.php, the icons/images, and (for 1.3) the style sheets.
Then you need only ensure that php's include_path is set properly so that php can file the rest of the code. In phpwiki 1.3.x there is a line near the top of index.php (commented out, by default) which hints at how to do this:
ini_set('include_path', '.:/where/you/installed/phpwiki');
For 1.3.x you also may need to set DATA_PATH, and possible other miscellaneous defines in index.php.
Basically the same is possible for 1.2, though the details are different. (Which version of phpwiki are you working with?)
As for the troubles with phplib: I'm not very familiar with phplib. Could you explain what the problems are?
And as for publicly readable passwords, I share the same fears as you. On the other hand there are few fixes which offer any real solution. Whatever files contain the passwords have to be readable by whatever user/group apache runs as (barring cgi-wrappers). The phpwiki admin password could be hashed --- that would help a bit. If using an SQL backend, the sql access passwords can't be hashed --- if using a dbm-based backend, the dbm files have to be writable by the apache user. Unless you have a dedicated server, I don't see any real solutions.
Ideas?
I haven't gotten PHPWiki to run yet (see help post). Usually it is file naming conventions. Yes, I'm aware of the ability to move files out of the tree and I'll do that once I get it to run.
In regards to the password issue, I'll make a config file and put it out of the tree and "include()" it. That solves the problem.
Ken