1) Yes, store this kind of information outside of your web-root. But I am
not sure if Apache will return the source even if php's parser crashes. If
you are using the module version of php, Apache should be able to "re-start"
itself when such error is found. I believe you can setup Apache (and maybe
other servers) to not start, or restart, if certain procedures are not met.
If anything fails, simple doesn't start at all.

  I also believe php's cgi version has the same behaviour, ie: The server
will try to send the request again if it "crashes".

2) Sessions are identified either from a cookie, or appending the SID (or
similar) at the url, or both. Anyone who has access to the temporary session
files (or database, whetever you store it), can read them, altought I
believe that if you can't get the list of files in there, you won't guess
the actual filename (it's something like 27bf1bb8b919e7c35217f76e45f1e86a)


Julio Nobrega.

Um dia eu chego lá:

Ajudei? Salvei? Que tal um presentinho?

"Jan Peuker" <[EMAIL PROTECTED]> wrote in message
> Sorry for answering with a new question.
> But, what's if, say, the PHP-Parser crashes (or a filename is changed) and
> Apache returns the source. How is it simply possible to store passwords
> somewhere a httpd-users won't see it? (e.g. in the includes-Folder, am I
> right?)
> And are session-variables send per post or does the next script reads it
> from the session-file so nobody can't read them?
> Regars,
> Jan Peuker
> ----- Original Message -----
> From: "Miguel Cruz" <[EMAIL PROTECTED]>
> To: "Jay Fitzgerald" <[EMAIL PROTECTED]>
> Sent: Monday, April 29, 2002 8:33 PM
> Subject: Re: [PHP] PHP Security
> > On Mon, 29 Apr 2002, Jay Fitzgerald wrote:
> > > Can someone point me in the right direction in determining just how
> secure
> > > PHP really is?
> >
> > What are you actually trying to find out?
> >
> > As far as actual security problems in PHP, where the interpreter behaves
> > contrary to documentation when provided with extraordinary inputs, the
> > team has been very responsive with fixes (in contrast with, say,
> > Microsoft).
> >
> > If you are wondering about the security of any given application
> > in PHP, well, that's up to the developers of that application.
> >
> > miguel
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to