I ws just reading the PHP Documentation and I accidently found something that scares me a little. There are two commands which (I believe) would allow a potential hacker scary power. Everything I've read always tells me to use/pass variables for the arguments when connecting to a database (i.e. mysqli_connect) instead of hard coding the arguments into the mysqli_connect directly. The reason that is given is security, the data can be stored somewhere secure where a malicious user cannot access it. Sounds great and I use it, as the values dont change during execution I use constants, and that's where I found the scary. There are two commands which would dump all that info straight to a user... PLEASE tell me this cant be done.
the commands are:
get_defined_constants()
get_defined_vars()
Couldn't a malicious user trick the server into running
echo get_defined_vars();
echo get_defined_constants();
and then become omnipotent?
I can see it, somehow a user uploads a file to a server, pretending it's innocuous, but really it's a .php (say myfile.txt.php) snd then said user requests that file from the server...