Confirmation requested: okay to expose passwords in

I see that one needs to modify in order to do things like send email, and I see that it states right at the top:
; <?php exit(); // DO NOT DELETE ?>
; Doing so will expose this configuration file through your web site!

Which implies, to me, that this file is set up to exit the second its accessed via php. But, I do want to confirm that there is literally no other way to access the file, and that putting passwords and such in this file in plaintext on a server is totally fine.

This file is in my ojs 3.3 install file, so it’s totally exposed to the web. I would appreciate confirmation that including the php exit() line in this file absolutely bars anyone from being able to access/read this file, and passwords are safe.

I guess I’m just worried that someone could expose this file using a method other than php, viewing the source or something in plaintext. Web Security is not my field, so I’m hoping someone with more experience can confirm that having this file exposed in a web-accessible directory (my OJS install directory) on a server is okay if it has plaintext passwords.


Just bumping this up a little because I can’t find an answer… thanks!

Hi @alk,

The file is safe, and plaintext passwords in a .php configuration file is a pattern used by other widely-accepted applications like Drupal and Wordpress. The exit() line prevents the file from being served via the web (and that line shouldn’t be removed, as noted).

Alec Smecher
Public Knowledge Project Team