How secure is storing DB variables with SetEnv or in php.ini? -


i don't storing sitewide crypto keys , db access information under document_root, using apache's setenv , php.ini files under conf.d separate these codebase. big question is, 1 better? inside environment variables under apache vhost files (setenv sitekey 'oinkoink!') or inside conf.d/xxx.ini files (db_pass="oink?")? maybe else?

pros n cons:

setenv:

+stored outside document_root
+only given vhost has access
-visible phpinfo() - hacker needs direct access/upload exploit files

get_cfg_var:

+stored outside document_root
+not visible phpinfo()
-(very bad) defined ini variables included, each vhost can query them via (ini_get_all), not usable in shared vhost environment

as long *.ini , setenv outside of web root (document root) doesn't matter either way. choose whichever prefer. setenv, it's personal preference. makes more sense me use setenv since variables put _server. .ini, think makes more sense leave initialization settings specific how code works.

not storing under document root idea prevent access possibly secure data.

note phpinfo() list server variables set, careful that.

finally, if including files, make sure don't allow gratuitous ../../ set user somehow or have access potentially secure files (even including /etc/passwd!)

i think main question "how secure." well, secure can without causing major headaches. php code has access these variables, if print them out visible, depends on how secure code base is. might possible use ldap mysql, sounds huge pain.


Comments

Post a Comment

Popular posts from this blog

c# - SharpSVN - How to get the previous revision? -

i trying find efficient way previous revision of file text comparison using sharpsvn. using (svnclient c = new svnclient()) { c.authentication.defaultcredentials = new networkcredential( configurationmanager.appsettings.get("svnserviceusername") , configurationmanager.appsettings.get("svnservicepassword") , configurationmanager.appsettings.get("svnservicedomain") ); c.authentication.sslservertrusthandlers += new eventhandler<svnsslservertrusteventargs>(authentication_sslservertrusthandlers); collection<svnfileversioneventargs> fileversioncollection = new collection<svnfileversioneventargs>(); svnrevisionrange range = new svnrevisionrange(0, this.hooks.revision); svnfileversionsargs args = new svnfileversionsargs(); args.retrieveproperties = true; args.range = range; foreach (svnchangeitem item in log.changedpaths) { string path = this.repositorypath + it...
Read more

c++ - Is it possible to compile a VST on linux? -

for class project i'm attempting write vst plugin backed cuda. current cuda workflow on linux box, i'd prefer compile , link there. according wikipedia , should possible (i couldn't find steinberg documentation relevant linux) can't find makefile or instructions on how build if aren't using xcode or visual studio. i'm vst 3 sdk doesn't support linux. when try compile plugin under linux, error: ./base/source/fatomic.cpp:39:30: fatal error: libkern/osatomic.h: no such file or directory this issue caused following code in "vst3 sdk/base/source/fatomic.cpp" #if mac #include <libkern/osatomic.h> #if mac_os_x_version_min_required > mac_os_x_version_10_4 #define native_atomic_type (volatile int32_t*) #else #define native_atomic_type (int32_t*) #endif #elif windows #include <windows.h> #endif but hope compiling under linux work vst sdk 2.4. reading. jvstwrapper seems run on lin...
Read more

url - Querystring manipulation of email Address in PHP -

i using third party application (email2http) send me emailid, body , message. unable retrieve email id due name appended on , enclosed < , >. here querystring getting. test.php?from=ajay+reddy &subject=cx&body=somebody when print variable in php returns name , not email id. $from = $_get['from']; echo $from; //output ajay reddy please suggest me how can emailid also. i dont want use post method due testing , debugging. it's working fine. forgot use htmlentities() in debugging.
Read more