If you did use ENV to set the username and password, you could always unset it using the same method after you ran the mysql command. So it'd only be exposed for a very brief period of time and slightly less accessible than just running a process list.
It still falls under the category of "security through obscurity" which isn't a best practice scenario. But I can't think of another way to run mysql under these circumstances that's any better.
-TG
= = = Original message = = =
On Thu, November 30, 2006 12:29 pm, Edwin Barrios wrote:
> This is not triue because a shell vars declered on a shell is only
> exposed
> to its subshells, that means that only exec's and system functions
> calls
> into the php itself resive those vars declared into the php !
>
> You can see this argument in the following code
>
> <?php
> error_reporting(E_ALL);
>
>
> echo "OLD <pre>";
> system("env");
> echo "</pre>";
>
> putenv("DBNAME=sidf");
> putenv("DBUSER=p");
> putenv("DBPASSWD=p");
>
> echo "NEW <pre>";
> system("env");
> echo "</pre>";
>
> ?>
>
> and reloading these a couple of times.
My point was that somebody who was doing:
system("env");
in a different part of the script, to debug something else, will
expose the password, probably without even realizing it.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
