On Sat, Jun 16, 2012 at 7:17 AM, Ashley Sheridan
<ash@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Sat, 2012-06-16 at 07:09 -0500, Karl DeSaulniers wrote:
>
>> On Jun 16, 2012, at 6:39 AM, Maciek Sokolewicz wrote:
>>
>> > On 16-06-2012 08:36, Karl DeSaulniers wrote:
>> >> Quick question phprz. Is it ok to put a token inside a define()
>> >> statement?
>> >>
>> >> IE:
>> >> define('TOKEN', $sometoken);
>> >>
>> >> I guess what I am really after is if this can be read by a hacker?
>> >> I may be misguided as to what define()'s parameters are.
>> >> Once you define something it becomes a server variable?
>> >> And server variables are easy to read/get ?
>> >>
>> >> If it is unsafe, what is the best method of storing/using a token so
>> >> that it can be called at will?
>> >> Kind of like a global, just more secure. Can you secure a define
>> >> statement?
>> >>
>> >> TIA,
>> >>
>> >> Best,
>> >> Karl DeSaulniers
>> >> Design Drumm
>> >> http://designdrumm.com
>> >>
>> >>
>> >
>> > I don't think you understand what define does, or what a constant is.
>> >
>> > The define function literally "defines" a constant. That is, it
>> > creates a constant in your script.
>> > A constant isn't a server variable, it's not some kind of special
>> > global whatever.
>> >
>> > A constant is a kind of variable, but which is constant; that is, it
>> > can not change value once set. Constants in PHP look like variables,
>> > only without the preceding $-mark. They are not inherently safer or
>> > better than normal variables.
>> >
>> > Now, the question we would all like to pose is: "what are you trying
>> > to do?". You say you're looking for the best method of storing/using
>> > a token to be called at will. Then of course a good question would
>> > be "what do you mean by 'token'?" and what do you want to do with
>> > that 'token'? Why is that 'token' so important to you?
>>
>> Thanks for the reply. I had a feeling I was off-track.
>> I am using the token for a paypal verification. Paypals PDT.
>> Would like to know how to store safely in my config file to use in my
>> scripts.
>>
>> Karl DeSaulniers
>> Design Drumm
>> http://designdrumm.com
>>
>>
>
>
> Store it in a PHP script outside of document root if you can, this
> prevents it ever being seen if the server is misconfigured to not parse
> php scripts properly.
>
> Try to secure all the scripts on the site, as any of them could be a way
> in, allowing someone to execute their own code on the server. This is
> standard practice generally though.
>
> --
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
For credentials, such as tokens, passphrases, etc, I don't tend to
store these in any particular language so that I can read and use them
no matter what implementation language I'm using.
These are stored outside of any server path, and strict
permissions/ACL controlled.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
