[Solar-talk] Disallow "default" Solar::start() config location?
Antti Holvikari
anttih at gmail.com
Thu Sep 6 02:54:16 CDT 2007
On 9/6/07, Paul M Jones <pmjones at ciaweb.net> wrote:
> Hi all,
>
> Another change I've been mulling is kind of security-related. Way
> back when Solar was still mostly a library, I set up a
> SOLAR_CONFIG_PATH constant that points to the web root as the default
> location for the Solar.config.php file.
>
> I do say in the documentation that you should call Solar::start()
> with the path to your specific config file, but even so, the default
> behavior means a less-secure Solar::start(). As we know, config
> files have sensitive information and should never be web-accessible,
> even if they *are* written in PHP.
>
> As such, I'd like to remove that constant, and make Solar::start()
> when called with no param the same as calling Solar::start(false).
> That is, no param means no config is loaded. The documentation will
> change to say that you need to explicitly point to a config file when
> calling Solar::start().
>
> Does that make sense to you guys? I'd like to hear arguments for and
> against, if you have any.
>
> Thanks everyone. :-)
I'm all for this. I always give Solar::start() an absolute path to my
config file.
+1
--
Antti Holvikari
More information about the Solar-talk
mailing list