a different modify headers problem

  • Don’t you hate it when you think you know what you’re doing, and find out you don’t?
    I’m having a problem that is different from the one found on the faq regarding the “cannot modify headers” problem… at least, I THINK it’s different…
    I don’t like having my database password “hanging out” on the web. I got WordPress working the “regular” way, then edited the config file to put the database information (the “define” statements) in an include file which is stored outside of the web root. I then invoked the include file in the config file, just above the defs for the server/host/user etc. variables.
    Now, no matter what I do, I get this warning
    Warning: Cannot modify header information – headers already sent by (output started at em my root directory/em/blog_info/wf_db.inc.php:9) inemvarious files apparently trying to change the headers, includingemwp-login.php -after clearing my cookies.
    BUT! Whatever I’ve done (edit, added comment, etc) actually DOES get done. It just takes me to the warning screen instead of returning me to the post or blog screen (or whatever screen the action is supposed to return me to). So, I”m thinking it’s something about having to invoke the include file outside the web root that’s causing the problem. But I can’t find a line in any of the login, post, edit, whatever files that invokes anything OTHER than the config file, so it shouldn’t be WANTING to modify the headers, right?
    Anybody got any ideas?
    (Don’t know if I can post this anonymously – and I didn’t think to register before starting the post… if it posts anyway, hi, my name is Karen, and I aspire to geekhood – but I’m (obviously) not there yet.)

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter Anonymous

    Ok, obviously I screwed up the em tags… sorry ’bout that. They were supposed to set off the stuff that isn’t actually part of the warning message.
    (oh, yeah, it’s me again)

    Your database password isn’t “hanging out”.
    Find a wordpress site, then go to their wp-config file. You will see nothing at all. The PHP is executed by the server, and not sent to the browser. It never gets to the viewer’s machine. It’s secure.

    Thread Starter Anonymous

    Are you saying that there’s NO WAY for a hacker to somehow see the contents of a php script that’s on the web? I thought there’s be some way for somebody smarter than me to see it…

    I don’t know enough about php and what hacker tools are around, but I can tell you that in the last 7 months, during which time WP use has expanded a fair bit, that no-one has posted to say they were hacked and that the cause was wp-config.
    In my experience, stuff like phpBB and miniBB (this forum is miniBB) also have their database info held in files (it’s needed every single time the site is viewed) and they too have not had this issue – I would imagine it would be noted as important news.
    I also cannot see that the devs would not have considered what they were doing in this respect, and given that WP evolved from b2, if there *had* been a problem, it would have been changed.
    Guarantees ? There aren’t any on the net, but given the installed userbase, you are safe ??

    Thread Starter Anonymous

    Ok… I also think I”ll ask this question at my ISP’s boards. There are a LOT of “security geeks” there. If they say anything diffrent, I’ll come back and let y’all know!

    There are a fair few ‘geeks’ around here too !

    I know, but it was on the ISP board that I first got the idea that it was a problem to have the passwords “out” in the web-accessible part of my site. Hopefully, whoever gave that impression can either refresh my memory, or tell me I misunderstood what he/she/it was saying.

    ACK! It was an extra line at the front of the include file! Since it’s working, I’m just gonna leave it now. But I’d still like to know if a hacker could ever actually SEE the php script on a page. It’s just curiosity, now. But still.

    OK, one last post on the subject, just to share the info… apparently if the server the page is on doesn’t “recognize” the .php extention as something that is supposed to be processed by php, the text of the page (the actual script) COULD appear. Not likely, unless it’s a personal server, because most web hosting services would never make such a stupid mistake. Still, according to one of the security gurus on pair.com, putting the database password outside of the web tree is a good idea just on general principle that the less ‘sensitive” information accessible on the web, the better.
    YMMV! But it was pretty easy to do, once I figured out what the problem was, and I’ll be happy to explain how if anybody who wants me to.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘a different modify headers problem’ is closed to new replies.