views:

49

answers:

2

I'm putting a Drupal project on an open source hosting site. What files do I have to not put up there so I don't compromise my site's security?

Various settings.php comes to mind. And obviously the database itself won't be in a repository. Anything else dangerous?

I'm running Drupal 6.

Also, it'd be nice to get the database itself under version control in some way. Any idea how to do that?

UPDATE: What if I were to dump the db data, encrypt it, and version that?

A: 

Plugins would be the only thing I would hide. The reason is that plugins have their own security holes, and announcing to the world what version you are using could get you hacked. Drupal itself is pretty secure though

TheLQ
+1  A: 

Make sure not to submit User Uploaded Files. I wouldn't upload your db dump, even if it is encrypted. I would also be careful of .htaccess files.

Committing settings.php would be the worst thing you could do, you could try doing a find in files for your mysql user/password to make sure it isn't duplicated.

If Drupal is under version control you could Diff it with Drupal's repo to see what files have changed. Something like TortiseSVN makes that process pretty easy.

I'd also be careful of Cache files, but as far as I know Drupal only has a sql based cache.

For SQL Version control it is most common to use a mysqldump. Another approch is using an scripted versioning strategy, with a PHP Implementation. It is unsafe to dump any of the cache_* tables, the Variable table and of course the user table.

Rook
Ok. Any idea for how else I can version the database? I'm using Mercurial.
Rosarch
@Rosarch updated
Rook