On Mon, December 4, 2006 6:55 am, Jochem Maas wrote: > but given that the ENV var is only available to the shell php in > currently running in (and any subshells) so > the script is only vulnerable to mistakes/attacks from 'inside' the > script - basically I'm assuming that > whatever is stored in the ENV of a shell is not accessible/visible to > other users on the given system. > > is that assumption correct? I think it's wiser to phrase it as "not supposed to be accessible" or "not accessible via normal means" If somebody works hard enough at it, with some kind of RAM snooper and a hacked kernel and whatnot, they *could* get to it... :-v It's important to phrase these things with that tinge of gray, just to remind ourselves that there's always some kind of hack to beat any system. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php