[pmwiki-users] Using the cgi-bin directory

Patrick R. Michaud pmichaud at pobox.com
Wed Apr 9 12:32:14 CDT 2008

On Wed, Apr 09, 2008 at 05:46:02PM +0200, Peter & Melodye Bowers wrote:
> >But if you are concerned about security, encrypt your password - then  
> >it doesn't matter if others can see it. Just add "?action=crypt" to  
> >the URL of any page on any pmwiki website to get a form to generate an  
> >encrypted version of your password.
> >
> >Use encrypted passwords in your config.php and anywhere else that you  
> >need to put a password.
> Just to set my mind at ease...  The only way someone could get access to the
> text within config.php is if they have physical access to the server or in
> some other way have compromised the overall security of the server, right?
> I mean, nobody with a browser could somehow look at the *contents* of a PHP
> source, filee, could they?

In general it's very difficult to view the contents of a PHP file
from a browser.  In the case of local/config.php, usually one of
two things happens:

1.  The .htaccess file that is in the local/ directory prevents
a browser from viewing config.php

2.  The webserver sees that config.php is a PHP script and executes it.
Of course, since the script generally does little more than set variables
or load recipes, the browser gets back a blank page or a page with an
error message on it.


More information about the pmwiki-users mailing list