karsumit94 / phpliteadmin

Automatically exported from code.google.com/p/phpliteadmin
0 stars 0 forks source link

Change method of detecting config file #212

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Change hard-coded path to:

    $config_filename = dirname(__FILE__) . '/phpliteadmin.config.php';

So that both can be stored outside the document root and just have one symlink 
to phpliteadmin.php. This keeps the config file out of web's view.

Original issue reported on code.google.com by myqlar...@gmail.com on 24 Apr 2013 at 10:01

GoogleCodeExporter commented 9 years ago
I don't like this change too much, because it might bring up unexpected 
behaviours to people that symlink directories and don't want the effect you 
look for.

An alternative is to include your configuration file from the default file:

# phpliteadmin.config.php
<?php
include '/a-directory/far/far/away/my-config.php';
# end of file

Yet again —just an idea— we could include configuration, language and theme 
files wherever they are, as long as the directory has been added with 
set_include_path().

http://php.net/set_include_path
http://php.net/stream_resolve_include_path
http://stackoverflow.com/questions/6041250/how-to-check-if-a-file-exists-under-i
nclude-path

Although, where do we add set_include_path? it can't be in the configuration 
file :|

Original comment by dreadnaut on 24 Apr 2013 at 11:01

GoogleCodeExporter commented 9 years ago
I can't imagine how symlinked dirs would cause any problems, but I'm not an 
expert. I just don't like having a config file, or _any_ file with a cleartext 
password sitting in the document root. Who knows when the next ?-s bug is going 
to crop up and make the contents of the script visible to all. I like the idea 
of a single file, and it's great for localhost, but on a public-facing 
installation, it's scary.

Original comment by myqlar...@gmail.com on 24 Apr 2013 at 11:09

GoogleCodeExporter commented 9 years ago
| I can't imagine how symlinked dirs would cause any problems, but I'm not an 
expert.

Just a feeling, I haven't checked. But I can imagine someone who symlinks the 
php file but expects the script to load the configuration file in the current 
directory, not from dirname(__FILE__). I'll look into it when I have bit more 
time though!

Currently, I think my suggestion above is the safest option: have a two-line 
config file that includes the real configuration file, and store the latter 
outside the webserver tree.

You can also look into (basic) HTTP Authentication, for an additional layer of 
security:
http://httpd.apache.org/docs/2.2/howto/auth.html

Original comment by dreadnaut on 24 Apr 2013 at 11:20

GoogleCodeExporter commented 9 years ago
True, but that makes _three_ files :)

If one symlinks the file, the target is likely _with_ the config file. That is, 
index.php -> ../phpliteadmin.php which also contains config. But do look into 
it if you feel it's worth it.

I'd avoid basic Authentication as it's broken. Digest is a step up, but not by 
much. I suppose the primary use case is to not use this in an open, 
public-facing setting anyway.

Thanks for your work!

Original comment by myqlar...@gmail.com on 24 Apr 2013 at 12:27

GoogleCodeExporter commented 9 years ago
Counter example: if someone has more than one copy of PLA on his server, these 
copies might be links to the same php file (it makes updates easier) and use 
different configuration files placed in the relative directories. Looking for a 
config file in the "link target" directory would break this kind of deployment.

It would be good to find a solution that works with both setups, but it cannot 
be a setting :)

Original comment by dreadnaut on 24 Apr 2013 at 8:54

GoogleCodeExporter commented 9 years ago
True, check for file existence in the same dir and if not found, check for 
existence in file's dir, using the first it finds?

Original comment by myqlar...@gmail.com on 24 Apr 2013 at 11:00

GoogleCodeExporter commented 9 years ago
What is the problem with the solution posted by drednaut in the first comment?
# phpliteadmin.config.php
<?php
include '/a-directory/far/far/away/my-config.php';

Original comment by crazy4ch...@gmail.com on 26 Apr 2013 at 4:23

GoogleCodeExporter commented 9 years ago
Nothing's wrong with it if you don't mind adding yet another file. I thought 
the point of phpliteadmin was to keep it all in one file (+ 1 config if 
needed). If it's going to keep expanding, then why bother making it one file?

It's just a suggestion based on my use case. If it doesn't fit with the average 
use case, then just ignore it.

Thanks for all your work!

Original comment by myqlar...@gmail.com on 27 Apr 2013 at 6:51

GoogleCodeExporter commented 9 years ago
We try to stick with the 1-file-philosophy as much as possible. Although we now 
develop phpliteAdmin in multiple files ("split mode", see issue #190), we will 
continue releasing it in one-file ("built mode").

But if you symlink phpLiteAdmin, you already introduce another (instance of a) 
file. So if you have phpliteadmin.php twice, you can also have 2 
phpliteadmin.config.php.

I think I prefer the way of making the link to the config-file somewhere else 
explicit (using the include). Implicitly using some file that is found 
somewhere sounds a bit dangerous and might make finding errors complicated.
Assume you changed configuration in the phpliteadmin.php and then it gets 
overwritten by some phpliteadmin.config.php that is stored in a completely 
different folder. Sounds like it could give someone a headache to figure out 
what is going on ;-)

Original comment by crazy4ch...@gmail.com on 28 Apr 2013 at 12:32

GoogleCodeExporter commented 9 years ago
I think we won't change something here. As explained, it might bring up 
unexpected behaviour.
If you want to move your config file out of the webserver's scope, I would 
recomment to require it from the phpliteadmin.config.php

Note that require it is more safe than include here! Imagine you place the real 
config somewhere else and later you don't remember where it is used so you 
remove the real file. Or some file permissions would change (e.g. the user the 
webserver runs changes because you change from mod_php5 to php-fpm or 
something). The include would fail and fall back to the default config in 
phpliteadmin.php with the "admin" password. I think using an include, you 
introduce more problems than you could imagine by having a cleartext config in 
the webserver root.
If you use a require, if the file was missing or rights to access it were 
missing or something, you would get a fatal error.

Original comment by crazy4ch...@gmail.com on 15 Jan 2014 at 10:01