Am I seeing windmills?!?!?

[Karaethon]

I ws just reading the PHP Documentation and I accidently found something that scares me a little. There are two commands which (I believe) would allow a potential hacker scary power. Everything I've read always tells me to use/pass variables for the arguments when connecting to a database (i.e. mysqli_connect) instead of hard coding the arguments into the mysqli_connect directly. The reason that is given is security, the data can be stored somewhere secure where a malicious user cannot access it. Sounds great and I use it, as the values dont change during execution I use constants, and that's where I found the scary. There are two commands which would dump all that info straight to a user... PLEASE tell me this cant be done.

the commands are: 

• get_defined_constants()
• get_defined_vars()

Couldn't a malicious user trick the server into running

echo get_defined_vars();
echo get_defined_constants();

and then become omnipotent?

I can see it, somehow a user uploads a file to a server, pretending it's innocuous, but really it's a .php (say myfile.txt.php) snd then said user requests that file from the server... 

Edited May 27, 2019 by Karaethon
Accidently typed coomands instead of commands, v instead of a space, and missed the m in omnipotent

[gw1500se]

If a user can upload a file then execute it, you have your permissions on that upload directory set wrong. You should be moving uploaded files to a protected location in any case.

[Karaethon]

ok, so if the directory doesnt have execute permisions (chmod?) then it wouldnt proccess the file?

[mac_gyver]

if someone manages to get their php code to run on your server (they don't even need to upload a file if allow_url_fopen  and allow_url_include are on and you are blindly including/requiring files named from get parameters), they have access to all your files, so it doesn't matter where or how you store things like db connection credentials.

 

[Karaethon]

Ok, so it's not like they could get a file onto the server then goto http://www.site.com/badfile.txt.php and have everything go kablooey for you. the file must be specifically include or rewured for it to execute, right?

[mac_gyver]

28 minutes ago, mac_gyver said:

they don't even need to upload ...

that's a statement of an alternate method to get php code to run on your server.

[kicken]

 

2 hours ago, Karaethon said:

Ok, so it's not like they could get a file onto the server then goto http://www.site.com/badfile.txt.php and have everything go kablooey for you.

If they can get a file on your server with a .php extension then yes, they can run it by visiting the URL.  That's not the only way someone could get code to run though. As mentioned, code that include() or require()'s  incorrectly could also cause problems, or incorrect usage of eval(), etc.

Regardless of the means though, if someone can run code on your server then they can access the information on your server.  Hard-coding your credentials wouldn't make them any harder to get in that scenario as the attacker could just echo file_get_contents('database.php'); to dump the source code of your database connection file.

The point of using variables/defines for your credentials over hard-coding doesn't really have anything to do with improved security.  It's all about configurability and convienence.  It's much nicer to have all your configuration parameters centralized in one place rather than spread across several files.  That way if things change it's easier to update the configuration.