Yep, and then you show off your super elite php build with phpinfo() and get to see ALL the environment variables of the user that apache was started as. How wonderful!
Just require_once() your connection scripts if you're going to highlight_file or give a phps. Other methods are just plain stupid. I hope everyone on php-dev@ agrees that this isn't a "vulnerability" Met vriendelijke groeten, Devon H. O'Dell sitetronics.com Original Message: ----------------- From: Jedi/Sector One [EMAIL PROTECTED] Date: Thu, 19 Sep 2002 20:02:22 +0200 To: [EMAIL PROTECTED] Subject: Re: [PHP-DEV] Thread Reading On Thu, Sep 19, 2002 at 01:56:03PM -0400, [EMAIL PROTECTED] wrote: > This is a security standard that is already inherent in the current phps > version. It is also not the job of PHP to save people from themselves. And sensitive cleartext data like SQL passwords can always be passed through environment variables. For instance, Apache has the 'Setenv' directive to set this, and the httpd.conf file can be made only readable by root. That way, publishing the source code doesn't reveal anything. -- __ /*- Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/ -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
