SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Couldn't one, if they knew the names of the variables, find out someone's DB info?

    Like, if I were to include some's config.php on a remote server, couldn't I then echo $password and whatever?

  2. #2
    $this->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Dec 2003
    Location
    Federal Way, Washington (USA)
    Posts
    1,524
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you have register globals off, it is very unlikely that someone would be able to retrieve password information via a remote server. You might want to have a look at this thread and the prior thread that it links to for some ideas on how to make your scripts more secure. There is also an excellent SitePoint article here on PHP script security.

    Hope this helps.
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    Showcase your music collection on the Web

  3. #3
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But like, lets say on your server, you have a file config.php located at http://www.yourserver.com/config.php

    If I were to create a script like:
    PHP Code:
    <?php
    include('http://www.yourserver.com/config.php');
    echo 
    $password;
    ?>
    and simply guess and check until I got it right, couldn't I be able to get it?

  4. #4
    $this->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Dec 2003
    Location
    Federal Way, Washington (USA)
    Posts
    1,524
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To quote a post from that other thread I mentioned:

    In a word, no. The only way I know of that they could cause harm would be to run their script on your server. Register globals OFF prevents that from happening.
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    Showcase your music collection on the Web

  5. #5
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    WHat I'm not undersatnding, is why wouldn't that work? If I were to run the above script on my server, wouldn't I eventually get the password?

  6. #6
    SitePoint Zealot amrknt's Avatar
    Join Date
    Nov 2003
    Location
    india
    Posts
    192
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dylannn
    But like, lets say on your server, you have a file config.php located at http://www.yourserver.com/config.php

    If I were to create a script like:
    PHP Code:
    <?php
    include('http://www.yourserver.com/config.php');
    echo 
    $password;
    ?>
    and simply guess and check until I got it right, couldn't I be able to get it?
    If you want to use variable form a included file, include the file with SERVER PATH instead of URL PATH.

  7. #7
    SitePoint Guru mwolfe's Avatar
    Join Date
    Mar 2005
    Posts
    912
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I just now tested if you could do that using some very important information i have in an include file for a site i made.. I was not able to get the variables from a remotely included/required page.. It looks like php has secured that. However you can include remote pages without any problems. I suppose that is common knowledge though

  8. #8
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That you kind sirs

  9. #9
    $this->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Dec 2003
    Location
    Federal Way, Washington (USA)
    Posts
    1,524
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dylannn
    That you kind sirs
    Erm, I'm not a sir, but you're welcome!
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    Showcase your music collection on the Web

  10. #10
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank**

    And Sir and/or Madams**

  11. #11
    SitePoint Evangelist dmsuperman's Avatar
    Join Date
    Feb 2005
    Location
    A box
    Posts
    516
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you include a file from another server it merely includes the html output, not the PHP source, otherwise PHP wouldn't be very secure would it? :P
    <(^.^<) \(^.^\) (^.^) (/^.^)/ (>^.^)>
    Core 2 Duo E8400 clocked @ 3.375GHz, 2x2GB 800MHz DDR2 RAM
    5x SATA drives totalling 2.5TB, 7900GS KO, 6600GT

  12. #12
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dmsuperman
    If you include a file from another server it merely includes the html output, not the PHP source, otherwise PHP wouldn't be very secure would it? :P
    But on your own server, you can access varaiables defined in an include


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •