| View previous topic :: View next topic |
| Author |
Message |
cmxflash
-
Joined: 11 Dec 2004
Posts: 872
|
 Posted: Sun Aug 07, 2005 7:56 pm Post subject: Getting PHP-variables? |
 |
|
So, I have PHP5 installed on my server, and it works fine.
Lets say I have a file called test.php:
| Code: |
<?
$variable = "var1";
$variable2 = "var2";
...the rest of the code.
?>
|
Is it possible for an intruder to get the valute of the variables $variable1 and 2? Without having access to my harddrives, just by some exploit or something like that? |
|
| Back to top |
  |
 |
MonkeyNation
-
Joined: 05 Feb 2005
Posts: 921
Location: Cardiff
|
| Posted: Sun Aug 07, 2005 8:05 pm Post subject: Re: Getting PHP-variables? |
|
|
| cmxflash wrote: | So, I have PHP5 installed on my server, and it works fine.
Lets say I have a file called test.php:
| Code: |
<?
$variable = "var1";
$variable2 = "var2";
...the rest of the code.
?>
|
Is it possible for an intruder to get the valute of the variables $variable1 and 2? Without having access to my harddrives, just by some exploit or something like that? |
Not while the files are parsed by the php inturpretter.
A bug may be discovered obviously, but no one can predict that.
_________________
 |
|
| Back to top |
    |
|
k1ll3rdr4g0n
-
Joined: 04 Jul 2004
Posts: 609
|
| Posted: Sun Aug 07, 2005 9:44 pm Post subject: Re: Getting PHP-variables? |
|
|
| cmxflash wrote: | So, I have PHP5 installed on my server, and it works fine.
Lets say I have a file called test.php:
| Code: |
<?
$variable = "var1";
$variable2 = "var2";
...the rest of the code.
?>
|
Is it possible for an intruder to get the valute of the variables $variable1 and 2? Without having access to my harddrives, just by some exploit or something like that? |
No, because while its interputed by php (like MonkeyNation said) the variables are just stored and not outputed unless you tell it to.
This a very unlikly senerio but its possible, you give someone hosting. They know where your installtion of [insert some php script here] is. They could technically write a script to where itll include the config file and get your config options. like this:
| Code: |
<?
include '../../../config.php';
echo $db['server'];
echo $db['user'];
echo $db['pass'];
?> |
PHP in safe mode prevents against that. But what you can also help prevent that is put your hosted in a completly different folder like c:\www\hosted.
And make sure they don't install any file managers.
But I think if you run linux you can set permissions.
_________________
 |
|
| Back to top |
|
|
cmxflash
-
Joined: 11 Dec 2004
Posts: 872
|
| Posted: Sun Aug 07, 2005 10:23 pm Post subject: |
|
|
| No need, I don't allow PHP to the persons I host on my server. |
|
| Back to top |
|
|
|
