T.Lensselink wrote:
> Doesn't it show up on the phpinfo(); page under "Environment" when
> using the putenv(); call?
I'd be surprised - firstly I'm not dealing with 'pages' because the code
in question constitutes a cmdline script that only runs with the CLI version
of php; secondly the putenv() call doesn't occur in any script that calls phpinfo()
if I'm wrong then I guess I should reconsider a career as a Whack-A-Mole or something ;-)
>
> On Mon, 04 Dec 2006 13:55:56 +0100, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
>> tg-php@xxxxxxxxxxxxxxxxxxxxxx wrote:
>>> If you did use ENV to set the username and password, you could always
>> unset it using the same method after you ran the mysql command. So it'd
>> only be exposed for a very brief period of time and slightly less
>> accessible than just running a process list.
>> indeed I do the following directly after the relevant call to exec() :
>>
>>
>> putenv('MYSQL_PLESK_PWD=doreallythinkIwouldleavethispwdfloatingaroundinashellenv?');
>>
>>> It still falls under the category of "security through obscurity" which
>> isn't a best practice scenario. But I can't think of another way to run
>> mysql under these circumstances that's any better.
>>
>> but given that the ENV var is only available to the shell php in currently
>> running in (and any subshells) so
>> the script is only vulnerable to mistakes/attacks from 'inside' the script
>> - basically I'm assuming that
>> whatever is stored in the ENV of a shell is not accessible/visible to
>> other users on the given system.
>>
>> is that assumption correct?
>>
>>> -TG
>>>
>>> = = = Original message = = =
>>>
>>> On Thu, November 30, 2006 12:29 pm, Edwin Barrios wrote:
>>>> This is not triue because a shell vars declered on a shell is only
>>>> exposed
>>>> to its subshells, that means that only exec's and system functions
>>>> calls
>>>> into the php itself resive those vars declared into the php !
>>>>
>>>> You can see this argument in the following code
>>>>
>>>> <?php
>>>> error_reporting(E_ALL);
>>>>
>>>>
>>>> echo "OLD <pre>";
>>>> system("env");
>>>> echo "</pre>";
>>>>
>>>> putenv("DBNAME=sidf");
>>>> putenv("DBUSER=p");
>>>> putenv("DBPASSWD=p");
>>>>
>>>> echo "NEW <pre>";
>>>> system("env");
>>>> echo "</pre>";
>>>>
>>>> ?>
>>>>
>>>> and reloading these a couple of times.
>>> My point was that somebody who was doing:
>>> system("env");
>>> in a different part of the script, to debug something else, will
>>> expose the password, probably without even realizing it.
>>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
