1. phpLiteAdmin Avatar phpLiteAdmin
  2. phpLiteAdmin
  3. public
  4. Issues

Change method of detecting config file

Issue #212 wontfix
myqlarson created an issue

Originally reported on Google Code with ID 212

Change hard-coded path to:

    $config_filename = dirname(__FILE__) . '/phpliteadmin.config.php';

So that both can be stored outside the document root and just have one symlink to phpliteadmin.php.
This keeps the config file out of web's view.

Reported by myqlarson on 2013-04-24 10:01:57

Comments (10)

  1. dreadnaut 
    I don't like this change too much, because it might bring up unexpected behaviours to
people that symlink directories and don't want the effect you look for.

An alternative is to include your configuration file from the default file:

# phpliteadmin.config.php
<?php
include '/a-directory/far/far/away/my-config.php';
# end of file


Yet again —just an idea— we could include configuration, language and theme files wherever
they are, as long as the directory has been added with set_include_path().

http://php.net/set_include_path
http://php.net/stream_resolve_include_path
http://stackoverflow.com/questions/6041250/how-to-check-if-a-file-exists-under-include-path

Although, where do we add set_include_path? it can't be in the configuration file :|

    Reported by dreadnaut on 2013-04-24 11:01:01

  2. myqlarson reporter 
    I can't imagine how symlinked dirs would cause any problems, but I'm not an expert.
I just don't like having a config file, or _any_ file with a cleartext password sitting
in the document root. Who knows when the next ?-s bug is going to crop up and make
the contents of the script visible to all. I like the idea of a single file, and it's
great for localhost, but on a public-facing installation, it's scary.

    Reported by myqlarson on 2013-04-24 11:09:01

  3. dreadnaut 
    | I can't imagine how symlinked dirs would cause any problems, but I'm not an expert.

Just a feeling, I haven't checked. But I can imagine someone who symlinks the php file
but expects the script to load the configuration file in the current directory, not
from dirname(__FILE__). I'll look into it when I have bit more time though!

Currently, I think my suggestion above is the safest option: have a two-line config
file that includes the real configuration file, and store the latter outside the webserver
tree.

You can also look into (basic) HTTP Authentication, for an additional layer of security:
http://httpd.apache.org/docs/2.2/howto/auth.html

    Reported by dreadnaut on 2013-04-24 11:20:45

  4. myqlarson reporter 
    True, but that makes _three_ files :)

If one symlinks the file, the target is likely _with_ the config file. That is, index.php
-> ../phpliteadmin.php which also contains config. But do look into it if you feel
it's worth it.

I'd avoid basic Authentication as it's broken. Digest is a step up, but not by much.
I suppose the primary use case is to not use this in an open, public-facing setting
anyway.

Thanks for your work!

    Reported by myqlarson on 2013-04-24 12:27:08

  5. dreadnaut 
    Counter example: if someone has more than one copy of PLA on his server, these copies
might be links to the same php file (it makes updates easier) and use different configuration
files placed in the relative directories. Looking for a config file in the "link target"
directory would break this kind of deployment.

It would be good to find a solution that works with both setups, but it cannot be a
setting :)

    Reported by dreadnaut on 2013-04-24 20:54:51

  6. myqlarson reporter 
    True, check for file existence in the same dir and if not found, check for existence
in file's dir, using the first it finds?

    Reported by myqlarson on 2013-04-24 23:00:18

  7. Christopher Kramer 
    What is the problem with the solution posted by drednaut in the first comment?
# phpliteadmin.config.php
<?php
include '/a-directory/far/far/away/my-config.php';

    Reported by crazy4chrissi on 2013-04-26 16:23:37

  8. myqlarson reporter 
    Nothing's wrong with it if you don't mind adding yet another file. I thought the point
of phpliteadmin was to keep it all in one file (+ 1 config if needed). If it's going
to keep expanding, then why bother making it one file?

It's just a suggestion based on my use case. If it doesn't fit with the average use
case, then just ignore it.

Thanks for all your work!

    Reported by myqlarson on 2013-04-27 06:51:42

  9. Christopher Kramer 
    We try to stick with the 1-file-philosophy as much as possible. Although we now develop
phpliteAdmin in multiple files ("split mode", see issue #190), we will continue releasing
it in one-file ("built mode").

But if you symlink phpLiteAdmin, you already introduce another (instance of a) file.
So if you have phpliteadmin.php twice, you can also have 2 phpliteadmin.config.php.

I think I prefer the way of making the link to the config-file somewhere else explicit
(using the include). Implicitly using some file that is found somewhere sounds a bit
dangerous and might make finding errors complicated.
Assume you changed configuration in the phpliteadmin.php and then it gets overwritten
by some phpliteadmin.config.php that is stored in a completely different folder. Sounds
like it could give someone a headache to figure out what is going on ;-)

    Reported by crazy4chrissi on 2013-04-28 12:32:15

  10. Christopher Kramer 
    I think we won't change something here. As explained, it might bring up unexpected behaviour.
If you want to move your config file out of the webserver's scope, I would recomment
to require it from the phpliteadmin.config.php

Note that require it is more safe than include here! Imagine you place the real config
somewhere else and later you don't remember where it is used so you remove the real
file. Or some file permissions would change (e.g. the user the webserver runs changes
because you change from mod_php5 to php-fpm or something). The include would fail and
fall back to the default config in phpliteadmin.php with the "admin" password. I think
using an include, you introduce more problems than you could imagine by having a cleartext
config in the webserver root.
If you use a require, if the file was missing or rights to access it were missing or
something, you would get a fatal error.

    Reported by crazy4chrissi on 2014-01-15 10:01:11 - Status changed: WontFix

  11. Log in to comment
Assignee
Type
enhancement
Priority
minor
Status
wontfix
Component
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!