Search the Community
Showing results for tags 'possible hacker door?'.
Found 1 result
-
I ws just reading the PHP Documentation and I accidently found something that scares me a little. There are two commands which (I believe) would allow a potential hacker scary power. Everything I've read always tells me to use/pass variables for the arguments when connecting to a database (i.e. mysqli_connect) instead of hard coding the arguments into the mysqli_connect directly. The reason that is given is security, the data can be stored somewhere secure where a malicious user cannot access it. Sounds great and I use it, as the values dont change during execution I use constants, and that's where I found the scary. There are two commands which would dump all that info straight to a user... PLEASE tell me this cant be done. the commands are: get_defined_constants() get_defined_vars() Couldn't a malicious user trick the server into running echo get_defined_vars(); echo get_defined_constants(); and then become omnipotent? I can see it, somehow a user uploads a file to a server, pretending it's innocuous, but really it's a .php (say myfile.txt.php) snd then said user requests that file from the server...
