Securing - config.php

Frequently asked questions about installation and updates of your forum.

Moderator: Moderators

Securing - config.php

Postby UseLess on Wed Dec 27, 2006 1:40 pm

Greetings,

To make the contents of 'config.php' a little more secure you can add the following to the top of the file;
Code: Select all
if ( !defined('IN_PHPBB') )
{
   die("Hacking attempt");
}

this will then result in this if someone tries to access the file directly.

The complete file should then look like this;
[code highlight="11,13-16,18"]<?php

if ( !defined('IN_PHPBB') )
{
die("Hacking attempt");
}

// phpBB 2.x auto-generated config file
// Do not change anything in this file!

$dbms = 'mysql';

$dbhost = 'localhost';
$dbname = 'your db name';
$dbuser = 'your db username';
$dbpasswd = 'your db password';

$table_prefix = 'phpbb_';

define('PHPBB_INSTALLED', true);

?>[/code]
In the above the highlighted lines may be different in the file you have due to the different db server and the other connection settings along with a different table prefix if your not using the default of 'phpbb_'.

Adding this check to the file should not affect any mods installed on the forum. However, if you start getting 'hacking attempt' messages then make sure 'IN_PHPBB' is defined before including 'config.php'.

Also make sure that the file 'config.php' is CHMOD'd to 644
Movie Quote:
It's not the years honey, it's the mileage...

I do not provide any install services for phpBB, Mods or Styles.
Please do not pm me for support/scripting help - you won't get any reply. If you have a question then make a post in the appropriate forum.
User avatar
UseLess
Registered User
Registered User
 
Posts: 6220
Joined: Mon Sep 27, 2004 2:14 am
Location: North East, UK

Postby Disturbed One on Wed Dec 27, 2006 4:26 pm

In addition to this, I place my config.php in a different directory (say /admin/ for example), and I rename it (/home.php or similar).

This won't do much if somebody was able to get access to your files, but it will not be as easy for them to find your database connection information.
High Velocity Media - Accelerated Internet Solutions
http://hvmdesign.com | contact[at]hvmdesign[dot]com
User avatar
Disturbed One
Moderator
Moderator
 
Posts: 2106
Joined: Sat Oct 09, 2004 8:12 pm
Location: Right behind you...

Postby Disturbed One on Wed Dec 27, 2006 8:50 pm

Giga4000 also states that putting this code into your .htaccess should prevent people from reading the file online, but still lets phpBB read it.
Code: Select all
<Files config.php>
Deny from all
</Files>
High Velocity Media - Accelerated Internet Solutions
http://hvmdesign.com | contact[at]hvmdesign[dot]com
User avatar
Disturbed One
Moderator
Moderator
 
Posts: 2106
Joined: Sat Oct 09, 2004 8:12 pm
Location: Right behind you...


Return to phpBB Installation, phpBB Update FAQ

Who is online

Users browsing this forum: No registered users and 1 guest

cron