php-general Digest 16 Jun 2012 22:35:46 -0000 Issue 7857

[php-general-digest-help]

php-general Digest 16 Jun 2012 22:35:46 -0000 Issue 7857

Topics (messages 318257 through 318260):

Re: define()
        318257 by: Maciek Sokolewicz
        318258 by: Karl DeSaulniers
        318259 by: Ashley Sheridan
        318260 by: tamouse mailing lists

Administrivia:

To subscribe to the digest, e-mail:
        php-general-digest-subscr...@lists.php.net

To unsubscribe from the digest, e-mail:
        php-general-digest-unsubscr...@lists.php.net

To post to the list, e-mail:
        php-gene...@lists.php.net


----------------------------------------------------------------------

--- Begin Message ---

On 16-06-2012 08:36, Karl DeSaulniers wrote:

Quick question phprz. Is it ok to put a token inside a define() statement?

IE:
define('TOKEN', $sometoken);

I guess what I am really after is if this can be read by a hacker?
I may be misguided as to what define()'s parameters are.
Once you define something it becomes a server variable?
And server variables are easy to read/get ?

If it is unsafe, what is the best method of storing/using a token so
that it can be called at will?
Kind of like a global, just more secure. Can you secure a define statement?

TIA,

Best,
Karl DeSaulniers
Design Drumm
http://designdrumm.com

I don't think you understand what define does, or what a constant is.

The define function literally "defines" a constant. That is, it creates a constant in your script. A constant isn't a server variable, it's not some kind of special global whatever.

A constant is a kind of variable, but which is constant; that is, it can not change value once set. Constants in PHP look like variables, only without the preceding $-mark. They are not inherently safer or better than normal variables.

Now, the question we would all like to pose is: "what are you trying to do?". You say you're looking for the best method of storing/using a token to be called at will. Then of course a good question would be "what do you mean by 'token'?" and what do you want to do with that 'token'? Why is that 'token' so important to you?
--- End Message ---

--- Begin Message ---

On Jun 16, 2012, at 6:39 AM, Maciek Sokolewicz wrote:

On 16-06-2012 08:36, Karl DeSaulniers wrote:

Quick question phprz. Is it ok to put a token inside a define() statement?

IE:
define('TOKEN', $sometoken);

I guess what I am really after is if this can be read by a hacker?
I may be misguided as to what define()'s parameters are.
Once you define something it becomes a server variable?
And server variables are easy to read/get ?

If it is unsafe, what is the best method of storing/using a token so
that it can be called at will?

Kind of like a global, just more secure. Can you secure a define statement?

TIA,

Best,
Karl DeSaulniers
Design Drumm
http://designdrumm.com

I don't think you understand what define does, or what a constant is.

The define function literally "defines" a constant. That is, it creates a constant in your script. A constant isn't a server variable, it's not some kind of special global whatever.

A constant is a kind of variable, but which is constant; that is, it can not change value once set. Constants in PHP look like variables, only without the preceding $-mark. They are not inherently safer or better than normal variables.

Now, the question we would all like to pose is: "what are you trying to do?". You say you're looking for the best method of storing/using a token to be called at will. Then of course a good question would be "what do you mean by 'token'?" and what do you want to do with that 'token'? Why is that 'token' so important to you?

Thanks for the reply. I had a feeling I was off-track.
I am using the token for a paypal verification. Paypals PDT.

Would like to know how to store safely in my config file to use in my scripts.

Karl DeSaulniers
Design Drumm
http://designdrumm.com

--- End Message ---

--- Begin Message ---

On Sat, 2012-06-16 at 07:09 -0500, Karl DeSaulniers wrote:

> On Jun 16, 2012, at 6:39 AM, Maciek Sokolewicz wrote:
> 
> > On 16-06-2012 08:36, Karl DeSaulniers wrote:
> >> Quick question phprz. Is it ok to put a token inside a define()  
> >> statement?
> >>
> >> IE:
> >> define('TOKEN', $sometoken);
> >>
> >> I guess what I am really after is if this can be read by a hacker?
> >> I may be misguided as to what define()'s parameters are.
> >> Once you define something it becomes a server variable?
> >> And server variables are easy to read/get ?
> >>
> >> If it is unsafe, what is the best method of storing/using a token so
> >> that it can be called at will?
> >> Kind of like a global, just more secure. Can you secure a define  
> >> statement?
> >>
> >> TIA,
> >>
> >> Best,
> >> Karl DeSaulniers
> >> Design Drumm
> >> http://designdrumm.com
> >>
> >>
> >
> > I don't think you understand what define does, or what a constant is.
> >
> > The define function literally "defines" a constant. That is, it  
> > creates a constant in your script.
> > A constant isn't a server variable, it's not some kind of special  
> > global whatever.
> >
> > A constant is a kind of variable, but which is constant; that is, it  
> > can not change value once set. Constants in PHP look like variables,  
> > only without the preceding $-mark. They are not inherently safer or  
> > better than normal variables.
> >
> > Now, the question we would all like to pose is: "what are you trying  
> > to do?". You say you're looking for the best method of storing/using  
> > a token to be called at will. Then of course a good question would  
> > be "what do you mean by 'token'?" and what do you want to do with  
> > that 'token'? Why is that 'token' so important to you?
> 
> Thanks for the reply. I had a feeling I was off-track.
> I am using the token for a paypal verification. Paypals PDT.
> Would like to know how to store safely in my config file to use in my  
> scripts.
> 
> Karl DeSaulniers
> Design Drumm
> http://designdrumm.com
> 
> 


Store it in a PHP script outside of document root if you can, this
prevents it ever being seen if the server is misconfigured to not parse
php scripts properly.

Try to secure all the scripts on the site, as any of them could be a way
in, allowing someone to execute their own code on the server. This is
standard practice generally though.

-- 
Thanks,
Ash
http://www.ashleysheridan.co.uk

--- End Message ---

--- Begin Message ---

On Sat, Jun 16, 2012 at 7:17 AM, Ashley Sheridan
<a...@ashleysheridan.co.uk> wrote:
> On Sat, 2012-06-16 at 07:09 -0500, Karl DeSaulniers wrote:
>
>> On Jun 16, 2012, at 6:39 AM, Maciek Sokolewicz wrote:
>>
>> > On 16-06-2012 08:36, Karl DeSaulniers wrote:
>> >> Quick question phprz. Is it ok to put a token inside a define()
>> >> statement?
>> >>
>> >> IE:
>> >> define('TOKEN', $sometoken);
>> >>
>> >> I guess what I am really after is if this can be read by a hacker?
>> >> I may be misguided as to what define()'s parameters are.
>> >> Once you define something it becomes a server variable?
>> >> And server variables are easy to read/get ?
>> >>
>> >> If it is unsafe, what is the best method of storing/using a token so
>> >> that it can be called at will?
>> >> Kind of like a global, just more secure. Can you secure a define
>> >> statement?
>> >>
>> >> TIA,
>> >>
>> >> Best,
>> >> Karl DeSaulniers
>> >> Design Drumm
>> >> http://designdrumm.com
>> >>
>> >>
>> >
>> > I don't think you understand what define does, or what a constant is.
>> >
>> > The define function literally "defines" a constant. That is, it
>> > creates a constant in your script.
>> > A constant isn't a server variable, it's not some kind of special
>> > global whatever.
>> >
>> > A constant is a kind of variable, but which is constant; that is, it
>> > can not change value once set. Constants in PHP look like variables,
>> > only without the preceding $-mark. They are not inherently safer or
>> > better than normal variables.
>> >
>> > Now, the question we would all like to pose is: "what are you trying
>> > to do?". You say you're looking for the best method of storing/using
>> > a token to be called at will. Then of course a good question would
>> > be "what do you mean by 'token'?" and what do you want to do with
>> > that 'token'? Why is that 'token' so important to you?
>>
>> Thanks for the reply. I had a feeling I was off-track.
>> I am using the token for a paypal verification. Paypals PDT.
>> Would like to know how to store safely in my config file to use in my
>> scripts.
>>
>> Karl DeSaulniers
>> Design Drumm
>> http://designdrumm.com
>>
>>
>
>
> Store it in a PHP script outside of document root if you can, this
> prevents it ever being seen if the server is misconfigured to not parse
> php scripts properly.
>
> Try to secure all the scripts on the site, as any of them could be a way
> in, allowing someone to execute their own code on the server. This is
> standard practice generally though.
>
> --
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>

For credentials, such as tokens, passphrases, etc, I don't tend to
store these in any particular language so that I can read and use them
no matter what implementation language I'm using.

These are stored outside of any server path, and strict
permissions/ACL controlled.

--- End Message ---