On Apr 5, 2004, at 21:06, Peter wrote:

/var/www/wiki has a dump of the mediawiki-1.2.0 stable tar-ball. Ran through the basic install which means putting LocalSettings.php in the same directory as index.php (/var/www/wiki) I noticed that localsettings.php has the DB name, username and PW in it. If one is readable, won't the other be as well ? Is that safe?

If the file is requested, it'll be _executed_ as PHP and the _output_ (which is nothing) sent to the client. This should be reasonably safe under normal configurations.

However, if you edit the file by hand, your editor might leave a backup file which doesn't have a ".php" extension, so watch out for that. If you're paranoid, you can move the actual passwords to a file outside your web space and have LocalSettings.php include() the real file (this is actually how we do things on Wikipedia, mainly just to simplify administration of dozens of almost-identical configurations).

Also, your MySQL server really shouldn't accept connections from the internet at large. If it's configured appropriately (socket connections only or firewalled to a local network) then the potential risk of the database passwords being leaked is rather smaller.

-- brion vibber (brion @ pobox.com)