I wish I didn't have to post a message in the forum because I'm pretty sure I saw the answer to this question in the KnowledgeBase, but it's still down...

The question is simply this.

I plan to store PHP files with critical info (e.g., username and password to connect to a MySQL db) outside my public Web directory. It would be nice to be able to edit the include_path in php.ini to point to this directory, but I suspect that can't be done, correct? In other words, my include commands would have to include the full path, right?

I dont think it can, since everyone on one sever uses the same php module. Why not just name the include file with an extension .php . This way, anyone who tries to access the file will only see parsed output, which since it is a file with db usernames and passwords will generate nothing. If you feel paranoid, supress all error messages @.

Thanks, allen.

I perfectly agree with your suggestion -- that's what I had to do with my other Web host. It also makes sense that php.ini can't be changed since, indeed, we all use the same PHP module on the server. I just thought I'd check, though.

The paranoia, if such there is, has more to do with, as you well know, "What if PHP stopped working on the HR server." Apparently, having such sensitive files outside the Web tree is already good start. Whether the extension (.inc versus .php) makes a big difference, I'm not sure, since should PHP stop working, some plain text might be displayed on screen (unprocessed) regardless. If that text happens to be of a path to which only I have access, then it's not a big deal -- and the password info is still safe.

Again, thanks for your insights. (This forum has to be one of the greatest strengths of being with HR.)

Maurice

Try putting the include.inc file in your root directory, then use code similiar to the following

--
include("/home/username/include.inc");
--

where "username" is your username on HRs servers. Works for me.