[PHP] In Addition to [PHP] PHP Security

[Jan Peuker]

Sorry for answering with a new question.
But, what's if, say, the PHP-Parser crashes (or a filename is changed) and
Apache returns the source. How is it simply possible to store passwords
somewhere a httpd-users won't see it? (e.g. in the includes-Folder, am I
right?)
And are session-variables send per post or does the next script reads it
from the session-file so nobody can't read them?
Regars,

Jan Peuker

- Original Message -
From: Miguel Cruz [EMAIL PROTECTED]
To: Jay Fitzgerald [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, April 29, 2002 8:33 PM
Subject: Re: [PHP] PHP Security


 On Mon, 29 Apr 2002, Jay Fitzgerald wrote:
  Can someone point me in the right direction in determining just how
secure
  PHP really is?

 What are you actually trying to find out?

 As far as actual security problems in PHP, where the interpreter behaves
 contrary to documentation when provided with extraordinary inputs, the
 team has been very responsive with fixes (in contrast with, say,
 Microsoft).

 If you are wondering about the security of any given application developed
 in PHP, well, that's up to the developers of that application.

 miguel


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] In Addition to [PHP] PHP Security

[Cal Evans]

While I've never actually had that happen (If Apache crashes, NOTHING goes
out the socket...not the source to the page) in short, there is very little
that you can do to protect yourself against this. For PHP to get to the
file, it has to be readable but the user that Apache is running under. Since
include files get shoveled in before the page is executed, if Apache were to
spew the source, your include files would go with it.

That being said, I keep all my passwords in include files and keep the
include files in directories that Apache can't serve directly.  This
provides some level of comfort. (but not a lot)

=C=

*
* Cal Evans
* Journeyman Programmer
* Techno-Mage
* http://www.calevans.com
*


-Original Message-
From: Jan Peuker [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 29, 2002 1:45 PM
To: [EMAIL PROTECTED]
Subject: [PHP] In Addition to [PHP] PHP Security


Sorry for answering with a new question.
But, what's if, say, the PHP-Parser crashes (or a filename is changed) and
Apache returns the source. How is it simply possible to store passwords
somewhere a httpd-users won't see it? (e.g. in the includes-Folder, am I
right?)
And are session-variables send per post or does the next script reads it
from the session-file so nobody can't read them?
Regars,

Jan Peuker

- Original Message -
From: Miguel Cruz [EMAIL PROTECTED]
To: Jay Fitzgerald [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, April 29, 2002 8:33 PM
Subject: Re: [PHP] PHP Security


 On Mon, 29 Apr 2002, Jay Fitzgerald wrote:
  Can someone point me in the right direction in determining just how
secure
  PHP really is?

 What are you actually trying to find out?

 As far as actual security problems in PHP, where the interpreter behaves
 contrary to documentation when provided with extraordinary inputs, the
 team has been very responsive with fixes (in contrast with, say,
 Microsoft).

 If you are wondering about the security of any given application developed
 in PHP, well, that's up to the developers of that application.

 miguel


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php