I must disagree. There is no viable way for an attacker to override a vhost
set SetEnv.
I use a SetEnv configuration production|beta|etc
I then use Zend_Config_Ini to load a derived section based on the SetEnv'd
value. This means that the code in your SVN for example, can be identical
and function differently based on the server configuration. I would advise
though, to also check for display_errors ini setting before echoing any
sensitive error information.
Kevin
----- Original Message -----
From: "Andries Seutens" <[EMAIL PROTECTED]>
To: "Stephan Stapel" <[EMAIL PROTECTED]>
Cc: "Gunter Sammet" <[EMAIL PROTECTED]>; "Zend Framework"
<[email protected]>
Sent: Monday, June 25, 2007 10:09 AM
Subject: Re: [fw-general] Deployment dependent code
Stephan Stapel schreef:
Have a look at Zend_Config
(http://framework.zend.com/manual/en/zend.config.adapters.ini.html
<http://framework.zend.com/manual/en/zend.config.adapters.ini.html>).
I am already using the config classes. I was just asking myself if
someone has best practises on using these classes.
In fact, I'm already using Zend_Config_Xml with multiple sections, one
for each environment.
Is this the path that you'd also sugggest to take? And how to best decide
which section is correct? Based on the $_SERVER['HTTP_POST'] value? Or
are there better alternatives?
Regards,
Stephan
Hi Stephan,
I would not recommend to base your configuration on the $_SERVER['*']
superglobal. Why? Because it could be manipulated by an attacker.
I would recommend you to hardcode your configuration somewhere in your
bootstrap file, by defining a constant or similar.
Best,
Andries Seutens
http://andries.systray.be
