Hi !.
I don't know if my solution is better or not. but in one of my programs i
had to make a backup online then my solution was to use shell vars to put
important information like db_password . When we use putenv function those
var only exists on the current shell and on its subshells. In your case the
following code :
<?php
putenv("DBNAME=".DB_NAME);
putenv("DBUSER=".DB_USER);
putenv("DBPASSWD=".DB_PASSWD);
system('mysql -h localhost --user=$DBUSER --password=$DBPASSWD -D $DBNAME
< "/my/import/script.sql" 2>&1');
?>
On 11/30/06, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
Richard Lynch wrote:
> Don't use exec. ;-v
yeah - which is annoying because outside of php/exec() using the `cat
/path/2/myqyl/passwd`
trick works (i.e. ps doesn't give the passwd away)
thanks to everyone for there input - I have plenty to read/think about,
I send something back to the list when i have decided upon and tested a
working solutions
thanks everyone!
>
> Or, perhaps, write a shell script that reads the password and provides
> it to MySQL somehow without invoking another exec of some kind.
>
> You also could look into other MySQL authentication mechanisms such as
> SSL keys and whatnot -- which I only vaguely recall seeing somewhere
> in the MySQL docs.
>
> That might still end up with a PHP/world readable file that has a
> private key in it, but at least it requires the Bad Guy to take one
> more step to read said file.
>
> On Wed, November 29, 2006 6:10 am, Jochem Maas wrote:
>> I have been using exec() for a number of things recently - one of the
>> things
>> I'm using it for it to run mysql in order to import SQL scripts
>>
>> so I have some code that looks like:
>>
>> // build the cmdline
>> $cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s <
>> "%s" 2>&1',
>> MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile,
>> $data['db_name']['value'], $file);
>>
>> // run the mysql command via the cmdline
>> $output = array(); $exit = 0;
>> @exec($cmd, $output, $exit);
>>
>> everything works. but there is a security issue - one that I thought I
>> had
>> specifically tackled.
>>
>> the security issue occurs due to the fact that the process list (this
>> is
>> just linux I'm talking about) will show the complete command line,
>> which in
>> my case would look something like (in the processlist):
>>
>>
>> mysql -h localhost --user=admin --password=`cat
>> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>>
>>
>> AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`"
>> masks the actual
>> password from any looking in the process list. indeed undeer normal
>> shell scripting circumstances
>> that may have been true.
>>
>> BUT in using php's exec() to run the cmdline causes the following to
>> show up in the processlist:
>>
>>
>> sh -c mysql -h localhost --user=admin --password=`cat
>> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>>
>>
>> AND that [sub]shell then lists it's process[s] in the list also, there
>> is only one
>> and it is this:
>>
>>
>> mysql -h localhost --user=admin --password=MYFINGPWD -D somedb
>>
>>
>> does anyone have an idea how to over come this security issue (without
>> resorting to having to
>> type in the mysql admin passwd interactively!)
>>
>> thanks & regards,
>> Jochem
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
