I am building a PHP application. As part of that, I stored all of the frequently used variables (such as the MySQL database login information) in a file called "config.php" and then simply put "include 'config.php';" at the beginning of each page that needs the database info. Is it possible for an attacker to put a PHP file on their server which contains "include 'http://myserver.com/config.php';" and then echo out all the variables contained in config.php? If so, these is a major security hole. How do I protect against such an attack? -Ryan Adams http://RyanTAdams.com

No, you cannot "include" a file on a separate domain like that. If you tried to include a php file on another domain that file is being requested through that web server and the onlly thing you would be including is the output of that file. For example, if the included PHP file had an echo statement then the externally requesting page would only see the output of that echo. Example include file: <?php echo "exit;"; ?> If a local page included that file it would "print" the test "exit;" to the page. If an external page tried to include it it would just see "exit;" as the content and would exit the script. Michael J