> -----Original Message-----
> From: Philip Tellis [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, December 09, 1999 5:56 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [ILUG-BOM] security help :PHP +MySQL
>
>
> On Wed, 8 Dec 1999, Shahed Ali wrote:
>
> > I had the same problem. My friend hosted with indialinks or
> some other Co in
> > Goregoun/ Malad I think, and i bought that to their notice.
> But that guy
> > simply
> > ignored me. As far as i know, you need to have a didicated
> server for your
> > work.
> > I dont know of any other way, except ofcourse, you enter the password as
> > part
> > of a http POST. But then all your end users will also have to know the
> > passwd.
>
> That is a very very bad idea. The reason: anyone listening on the line
> would get the password, because it is sent as plain text over the net.
> The password should be stored only on the server.
>
> > From: ranjeet walunj <[EMAIL PROTECTED]>
> >
> > >now my problem is this .php3/.phtml file is world readable
> > >evn if the directory in which it is placed is not having r/w access on
> > >webserver
> > >but ne 1 who is having telnet access (in case of webserver the
> other guys
> > >who r hosting on the same server)
> > >can copy the file without getting ne problem...thus he can get the
> > database
> > >passwd (which is very critical)
> > >
> > >will ne 1 working on securing weserver help me out plz....
> > >or is there ne diff way of defining username+passwd in php script?
> > >can external exec file EXPORT these variables ?how to get them in php
> > script
>
> I am not a php3 programmer, but this seems to be a basic security problem,
> and is similar to the problem with Perl programs. The only way to protect
> your code it to delete it (from the Perl FAQ). I do not think that that
> is a viable option for most of us. Another option maybe to compile your
> program to bytecode. I do not know if this is possible in PHP, but it is
> worth a try.
Nah php and perl are both interpreted. you can compile perl on NT;
www.activestate.com
not on unices though.
Now that's a thought; You can writa a executable that can put uname and
passwd in env. ...but if the server can exec it .. so can someone else.
DUH.
but I wonder... what happens if you do something like this
permissions
owner:
rwx
group:
---
others:
--x
filename.php3
do you think it will work ? anyone ?
>
> While this will not guarantee security (any *competent* programmer will be
> able to reverse engineer the code), it will however deter the casual
> password sniffer / inexperienced cracker (not hacker - hackers don't
> crack - read the jargon file).
>
> I will have a look around and see if anything comes up.
>
> HTH
>
> Philip
>
> To subscribe / unsubscribe goto the site www.ilug-bom.org .,
> click on the mailing list button and fill the appropriate information
> and submit. For any other queries contact the ML maintener
>
>
To subscribe / unsubscribe goto the site www.ilug-bom.org ., click on the mailing list
button and fill the appropriate information
and submit. For any other queries contact the ML maintener
