On Tue, 21 Mar 2006, Colin Alston wrote:
How would that happen? The passwords are stored in a php file, so I
don't believe accessible from outside the machine. And local file access isn't affected by .htaccess.
It only has to happen once if a configuration slips and your apache doesn't interpret a php file and the whole world sees you with your underpants around your ankles.
Ok, but why put code in the .htaccess, all that has to happen is
apache set to ignore .htaccess files, and ...
It's not worth the risk, security by obscurity is no security at all.
I believe that security through obscurity can actually be one
valid level of security (after all, in the extreme case, that's all a password ever really is). (Linus Torvalds)