I have had more than a few clients ask for the same things. Blogs, shopping carts, newsletter systems, etc.
So, instead of recreating the back-end every time, I've created a cool little PHP application. The first part of my application acts as a package manager. There is a config file that I use to input all the information my packages will need.
The main information that is contained in that config file is the username and password of the administrator (hashed though the password may be), and the connection information to the MySQL database.
I got to thinking about it when I started using file_get_contents()
in my packages...can't someone from a remote server list the site directory, and use file_get_contents()
from their end to view my PHP source?
Obviously this is a huge security problem if that is, and I can't seem to think of a way to stop that from happening.
Is there a standard way to protect against these kinds of attacks?