Edwin Barrios wrote:
> Hi !.
>
> I don't know if my solution is better or not.
neither do I! but I'm certainly going to give the alternative a go and see
what exsact it shows in the process list.
thanks for the tip!
> but in one of my programs i
> had to make a backup online then my solution was to use shell vars to put
> important information like db_password . When we use putenv function those
> var only exists on the current shell and on its subshells. In your case the
> following code :
>
> <?php
> putenv("DBNAME=".DB_NAME);
> putenv("DBUSER=".DB_USER);
> putenv("DBPASSWD=".DB_PASSWD);
>
> system('mysql -h localhost --user=$DBUSER --password=$DBPASSWD -D $DBNAME
> < "/my/import/script.sql" 2>&1');
>
> ?>
>
> On 11/30/06, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
>>
>> Richard Lynch wrote:
>> > Don't use exec. ;-v
>>
>> yeah - which is annoying because outside of php/exec() using the `cat
>> /path/2/myqyl/passwd`
>> trick works (i.e. ps doesn't give the passwd away)
>>
>> thanks to everyone for there input - I have plenty to read/think about,
>> I send something back to the list when i have decided upon and tested a
>> working solutions
>>
>> thanks everyone!
>>
>> >
>> > Or, perhaps, write a shell script that reads the password and provides
>> > it to MySQL somehow without invoking another exec of some kind.
>> >
>> > You also could look into other MySQL authentication mechanisms such as
>> > SSL keys and whatnot -- which I only vaguely recall seeing somewhere
>> > in the MySQL docs.
>> >
>> > That might still end up with a PHP/world readable file that has a
>> > private key in it, but at least it requires the Bad Guy to take one
>> > more step to read said file.
>> >
>> > On Wed, November 29, 2006 6:10 am, Jochem Maas wrote:
>> >> I have been using exec() for a number of things recently - one of the
>> >> things
>> >> I'm using it for it to run mysql in order to import SQL scripts
>> >>
>> >> so I have some code that looks like:
>> >>
>> >> // build the cmdline
>> >> $cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s <
>> >> "%s" 2>&1',
>> >> MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile,
>> >> $data['db_name']['value'], $file);
>> >>
>> >> // run the mysql command via the cmdline
>> >> $output = array(); $exit = 0;
>> >> @exec($cmd, $output, $exit);
>> >>
>> >> everything works. but there is a security issue - one that I thought I
>> >> had
>> >> specifically tackled.
>> >>
>> >> the security issue occurs due to the fact that the process list (this
>> >> is
>> >> just linux I'm talking about) will show the complete command line,
>> >> which in
>> >> my case would look something like (in the processlist):
>> >>
>> >>
>> >> mysql -h localhost --user=admin --password=`cat
>> >> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>> >>
>> >>
>> >> AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`"
>> >> masks the actual
>> >> password from any looking in the process list. indeed undeer normal
>> >> shell scripting circumstances
>> >> that may have been true.
>> >>
>> >> BUT in using php's exec() to run the cmdline causes the following to
>> >> show up in the processlist:
>> >>
>> >>
>> >> sh -c mysql -h localhost --user=admin --password=`cat
>> >> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>> >>
>> >>
>> >> AND that [sub]shell then lists it's process[s] in the list also, there
>> >> is only one
>> >> and it is this:
>> >>
>> >>
>> >> mysql -h localhost --user=admin --password=MYFINGPWD -D somedb
>> >>
>> >>
>> >> does anyone have an idea how to over come this security issue (without
>> >> resorting to having to
>> >> type in the mysql admin passwd interactively!)
>> >>
>> >> thanks & regards,
>> >> Jochem
>> >>
>> >> --
>> >> PHP General Mailing List (http://www.php.net/)
>> >> To unsubscribe, visit: http://www.php.net/unsub.php
>> >>
>> >>
>> >
>> >
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
