Couldn't one, if they knew the names of the variables, find out someone's DB info?

**Dylan B** · Apr 25, 2005 19:23

Like, if I were to include some's config.php on a remote server, couldn't I then echo $password and whatever?

**vinyl-junkie** · Apr 25, 2005 19:36

If you have register globals off, it is very unlikely that someone would be able to retrieve password information via a remote server. You might want to have a look at this thread and the prior thread that it links to for some ideas on how to make your scripts more secure. There is also an excellent SitePoint article here on PHP script security.

Hope this helps.

**Dylan B** · Apr 25, 2005 19:47

But like, lets say on your server, you have a file config.php located at http://www.yourserver.com/config.php

If I were to create a script like:

PHP Code:


<?php

include('http://www.yourserver.com/config.php');

echo $password;

?>

and simply guess and check until I got it right, couldn't I be able to get it?

**vinyl-junkie** · Apr 25, 2005 20:03

To quote a post from that other thread I mentioned:

In a word, no. The only way I know of that they could cause harm would be to run their script on your server. Register globals OFF prevents that from happening.

**Dylan B** · Apr 25, 2005 20:07

WHat I'm not undersatnding, is why wouldn't that work? If I were to run the above script on my server, wouldn't I eventually get the password?

**amrknt** · Apr 25, 2005 23:30

Originally Posted by Dylannn

But like, lets say on your server, you have a file config.php located at http://www.yourserver.com/config.php

If I were to create a script like:

PHP Code:


<?php

include('http://www.yourserver.com/config.php');

echo $password;

?>

and simply guess and check until I got it right, couldn't I be able to get it?

If you want to use variable form a included file, include the file with SERVER PATH instead of URL PATH.

**mwolfe** · Apr 26, 2005 00:56

I just now tested if you could do that using some very important information i have in an include file for a site i made.. I was not able to get the variables from a remotely included/required page.. It looks like php has secured that. However you can include remote pages without any problems. I suppose that is common knowledge though

**Dylan B** · Apr 26, 2005 09:09

That you kind sirs

**vinyl-junkie** · Apr 26, 2005 18:23

Originally Posted by Dylannn

That you kind sirs

Erm, I'm not a sir, but you're welcome!

**Dylan B** · May 7, 2005 14:15

Thank**

And Sir and/or Madams**

**dmsuperman** · May 7, 2005 14:29

If you include a file from another server it merely includes the html output, not the PHP source, otherwise PHP wouldn't be very secure would it? :P

**Dylan B** · May 7, 2005 15:29

Originally Posted by dmsuperman

If you include a file from another server it merely includes the html output, not the PHP source, otherwise PHP wouldn't be very secure would it? :P

But on your own server, you can access varaiables defined in an include

User Tag List

Thread: Couldn't one, if they knew the names of the variables, find out someone's DB info?

Thread Tools

Display

Couldn't one, if they knew the names of the variables, find out someone's DB info?

Bookmarks

Bookmarks

Posting Permissions