Kevin,
I am saying that you shouldn't trust the $_SERVER superglobal as much as
most people think. If you use it, just make sure you take the proper
security precautions.
Best,
Andries Seutens
Kevin McArthur schreef:
I must disagree. There is no viable way for an attacker to override a
vhost set SetEnv.
I use a SetEnv configuration production|beta|etc
I then use Zend_Config_Ini to load a derived section based on the
SetEnv'd value. This means that the code in your SVN for example, can be
identical and function differently based on the server configuration. I
would advise though, to also check for display_errors ini setting before
echoing any sensitive error information.
Kevin
----- Original Message ----- From: "Andries Seutens"
<[EMAIL PROTECTED]>
To: "Stephan Stapel" <[EMAIL PROTECTED]>
Cc: "Gunter Sammet" <[EMAIL PROTECTED]>; "Zend Framework"
<[email protected]>
Sent: Monday, June 25, 2007 10:09 AM
Subject: Re: [fw-general] Deployment dependent code
Stephan Stapel schreef:
Have a look at Zend_Config
(http://framework.zend.com/manual/en/zend.config.adapters.ini.html
<http://framework.zend.com/manual/en/zend.config.adapters.ini.html>).
I am already using the config classes. I was just asking myself if
someone has best practises on using these classes.
In fact, I'm already using Zend_Config_Xml with multiple sections,
one for each environment.
Is this the path that you'd also sugggest to take? And how to best
decide which section is correct? Based on the $_SERVER['HTTP_POST']
value? Or are there better alternatives?
Regards,
Stephan
Hi Stephan,
I would not recommend to base your configuration on the $_SERVER['*']
superglobal. Why? Because it could be manipulated by an attacker.
I would recommend you to hardcode your configuration somewhere in your
bootstrap file, by defining a constant or similar.
Best,
Andries Seutens
http://andries.systray.be
