Jump to content

Am I seeing windmills?!?!?


Karaethon

Recommended Posts

I ws just reading the PHP Documentation and I accidently found something that scares me a little. There are two commands which (I believe) would allow a potential hacker scary power. Everything I've read always tells me to use/pass variables for the arguments when connecting to a database (i.e. mysqli_connect) instead of hard coding the arguments into the mysqli_connect directly. The reason that is given is security, the data can be stored somewhere secure where a malicious user cannot access it. Sounds great and I use it, as the values dont change during execution I use constants, and that's where I found the scary. There are two commands which would dump all that info straight to a user... PLEASE tell me this cant be done.

the commands are: 

  • get_defined_constants()
  • get_defined_vars()

Couldn't a malicious user trick the server into running

echo get_defined_vars();
echo get_defined_constants();

and then become omnipotent?

I can see it, somehow a user uploads a file to a server, pretending it's innocuous, but really it's a .php (say myfile.txt.php) snd then said user requests that file from the server... 

Edited by Karaethon
Accidently typed coomands instead of commands, v instead of a space, and missed the m in omnipotent
Link to comment
Share on other sites

if someone manages to get their php code to run on your server (they don't even need to upload a file if allow_url_fopen  and allow_url_include are on and you are blindly including/requiring files named from get parameters), they have access to all your files, so it doesn't matter where or how you store things like db connection credentials.

 

Link to comment
Share on other sites

 

2 hours ago, Karaethon said:

Ok, so it's not like they could get a file onto the server then goto http://www.site.com/badfile.txt.php and have everything go kablooey for you.

If they can get a file on your server with a .php extension then yes, they can run it by visiting the URL.  That's not the only way someone could get code to run though. As mentioned, code that include() or require()'s  incorrectly could also cause problems, or incorrect usage of eval(), etc.

Regardless of the means though, if someone can run code on your server then they can access the information on your server.  Hard-coding your credentials wouldn't make them any harder to get in that scenario as the attacker could just echo file_get_contents('database.php'); to dump the source code of your database connection file.

The point of using variables/defines for your credentials over hard-coding doesn't really have anything to do with improved security.  It's all about configurability and convienence.  It's much nicer to have all your configuration parameters centralized in one place rather than spread across several files.  That way if things change it's easier to update the configuration.

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.