View previous topic :: View next topic |
Author |
Message |
cmxflash -
Joined: 11 Dec 2004 Posts: 872
|
Posted: Sun Aug 07, 2005 7:56 pm Post subject: Getting PHP-variables? |
|
|
So, I have PHP5 installed on my server, and it works fine.
Lets say I have a file called test.php:
Code: |
<?
$variable = "var1";
$variable2 = "var2";
...the rest of the code.
?>
|
Is it possible for an intruder to get the valute of the variables $variable1 and 2? Without having access to my harddrives, just by some exploit or something like that? |
|
Back to top |
|
|
MonkeyNation -
Joined: 05 Feb 2005 Posts: 921 Location: Cardiff
|
Posted: Sun Aug 07, 2005 8:05 pm Post subject: Re: Getting PHP-variables? |
|
|
cmxflash wrote: | So, I have PHP5 installed on my server, and it works fine.
Lets say I have a file called test.php:
Code: |
<?
$variable = "var1";
$variable2 = "var2";
...the rest of the code.
?>
|
Is it possible for an intruder to get the valute of the variables $variable1 and 2? Without having access to my harddrives, just by some exploit or something like that? |
Not while the files are parsed by the php inturpretter.
A bug may be discovered obviously, but no one can predict that. _________________
|
|
Back to top |
|
|
k1ll3rdr4g0n -
Joined: 04 Jul 2004 Posts: 609
|
Posted: Sun Aug 07, 2005 9:44 pm Post subject: Re: Getting PHP-variables? |
|
|
cmxflash wrote: | So, I have PHP5 installed on my server, and it works fine.
Lets say I have a file called test.php:
Code: |
<?
$variable = "var1";
$variable2 = "var2";
...the rest of the code.
?>
|
Is it possible for an intruder to get the valute of the variables $variable1 and 2? Without having access to my harddrives, just by some exploit or something like that? |
No, because while its interputed by php (like MonkeyNation said) the variables are just stored and not outputed unless you tell it to.
This a very unlikly senerio but its possible, you give someone hosting. They know where your installtion of [insert some php script here] is. They could technically write a script to where itll include the config file and get your config options. like this:
Code: |
<?
include '../../../config.php';
echo $db['server'];
echo $db['user'];
echo $db['pass'];
?> |
PHP in safe mode prevents against that. But what you can also help prevent that is put your hosted in a completly different folder like c:\www\hosted.
And make sure they don't install any file managers.
But I think if you run linux you can set permissions. _________________
|
|
Back to top |
|
|
cmxflash -
Joined: 11 Dec 2004 Posts: 872
|
Posted: Sun Aug 07, 2005 10:23 pm Post subject: |
|
|
No need, I don't allow PHP to the persons I host on my server. |
|
Back to top |
|
|
|