Join Up! 104886 members and counting!

Login To PHPBuilder User Name: Password: Register A New Site Account * NOTE: This is for logging into the main site only! To login to the forums, click here

Linux Today Enterprise Linux Today Apache Today JustLinux.com Linux Planet PHPBuilder All Linux Devices Hiermenus DatabaseJournal Technology Jobs Covalent Extends Apache 2.0 to Microsoft ASP.NET ShopWorX - Support for Windows PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Network Risk Assessment Full-Featured, Java-Based Apache GUI Introducing SQLyog, a MySQL Front End The web of services: using XML_RPC Remote objects and Zend_Amf Object Orientation Tour MySQL Administrator

php3-list | 199901

From: Alex Belits (abelits <email protected>)
Date: 01/21/99

• Next message: Tommy Williams: "Re: [PHP3] Help in HTML anchor"
• Previous message: Hristo Kirov: "[PHP3] SNMP problems"
• In reply to: John Coggeshall: "[PHP3] Disable phpinfo?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 21 Jan 1999, John Coggeshall wrote:

> Is it possible to disable the phpinfo() function? Or at least make it so it
> doesn't show the variables being used. I would like to write a script which
> works "behind the scenes" as a gateway between the user and a global
> database and I don't want some malicious user using phpinfo() to find the
> passwords to the database

  phpinfo() is absolutely irrelevant -- when user calls phpinfo(), he can
only get data already available to him, so if user will be able to run his
own php source along with authenticated session with database, or with
some other user's request when another user is authenticated, he will be
able to find out the password regardless of phpinfo() being available or
not just because it's in his variables. And why any user will need to find
any "hidden" password if he will be able just call any function over the
database. You need to redesign your program in a way that user will not be
granted any access to database that he is not supposed to have, and user's
scripts will not be called with passwords passed to them.

-- 
Alex
----------------------------------------------------------------------
 Excellent.. now give users the option to cut your hair you hippie!
                                                  -- Anonymous Coward
--
PHP 3 Mailing List   http://www.php.net/
To unsubscribe send an empty message to php3-unsubscribe <email protected>
To subscribe to the digest list:  php3-digest-subscribe <email protected>
For help: php3-help <email protected>  Archive:  http://www.php.net/mailsearch.php3
List administrator:  zeev-list-admin <email protected>

• Next message: Tommy Williams: "Re: [PHP3] Help in HTML anchor"
• Previous message: Hristo Kirov: "[PHP3] SNMP problems"
• In reply to: John Coggeshall: "[PHP3] Disable phpinfo?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Columns / Articles | Tips / Quickies | News | News Linking and RSS Feeds | Shared Code Library Mail Archives | Support / Discussion Forums | Get Started! Links | Contribute! | Docs