On Tue, 2002-03-05 at 13:14, Keyser Soze wrote:
> this is different...the idea around this new module is that you won't have
> any script in your server with your configurations in plain text, let me
> show you another exemple:
>
> runonce.php:
> /* This script will be only run once and then must be erased */
>
> $conf[dbhost] = "10.10.60.1";
> $conf[dbname] = "mydatabase";
> $conf[dbuser] = "admin";
> $conf[dbpass] = "weakpass";
>
> cfg_set("db.cfg",$conf);
>
> /* End of runonce.php */
>
> And then you'll have a file calle db.cfg with all your configuration stored
> encrypted.
> And then, when you need to use it you do:
>
> dbconnection.php:
>
> /* ...... All connection functions ..... */
>
> $vars_db = cfg_get("db.cfg");
> connect($conf[dbhost], $conf[dbname] , $conf[dbuser] , $conf[dbpass] );
>
> /* FIN */
>
> So if anyone hack into your server, he won't get your vital configurations
> in plain text.
What stops the hacker from doing:
$vars_db = cfg_get("db.cfg");
connect($conf[dbhost], $conf[dbname] , $conf[dbuser] , $conf[dbpass] );
print_r($conf); // or var_dump($conf);
?
> And the encryption method can be changed easily, just doing a new
> libmycrypt.so. Like I said, libmycrypt.so is meant to have the funtionc
> (char *)my_crypt(char *) and (char *)my_decrypt(char *).
> The encryption method will be the user/admin choice.
>
--
Robin Ericsson <lobbin at localhost dot nu>
"The secret of flying is to throw yourself at the ground, and miss."
-- Douglas Adams
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
