[Solar-talk] Disallow "default" Solar::start() config location?
Paul M Jones
pmjones at ciaweb.net
Wed Sep 5 18:29:59 CDT 2007
Hi all,
Another change I've been mulling is kind of security-related. Way
back when Solar was still mostly a library, I set up a
SOLAR_CONFIG_PATH constant that points to the web root as the default
location for the Solar.config.php file.
I do say in the documentation that you should call Solar::start()
with the path to your specific config file, but even so, the default
behavior means a less-secure Solar::start(). As we know, config
files have sensitive information and should never be web-accessible,
even if they *are* written in PHP.
As such, I'd like to remove that constant, and make Solar::start()
when called with no param the same as calling Solar::start(false).
That is, no param means no config is loaded. The documentation will
change to say that you need to explicitly point to a config file when
calling Solar::start().
Does that make sense to you guys? I'd like to hear arguments for and
against, if you have any.
Thanks everyone. :-)
--
Paul M. Jones <http://paul-m-jones.com>
Solar: Simple Object Library and Application Repository
for PHP5. <http://solarphp.com>
Join the Solar community wiki! <http://solarphp.org>
Savant: The simple, elegant, and powerful solution for
templates in PHP. <http://phpsavant.com>
More information about the Solar-talk
mailing list