Not if the webserver is in another machine, he could have gained access to my system thru a security flaw in my webserver, one that doesn't have in my database server.
And he just could create the script in a tempfolder and execute it if php is a cgi module, unless he has apache html write rights. I thought of this extension to make it harder for a hacker to access data, and easier for admins to detect the access from that data. But I thought a workaround for this case....I can modify the sources so cfg_get may store the last script who accessed that file, or maybe cfg_set could just grant access to one script....this could make impossible for anyone to create another script just to get it. I'm new in extension development, so I don't know if it's possible to know inside my function what script is calling it. hmmm, i hadn't noticed the PHP License....that sounds ok for me. regards, Keyser Soze ----- Original Message ----- From: "Peter Petermann" <[EMAIL PROTECTED]> To: "Keyser Soze" <[EMAIL PROTECTED]>; "Robin Ericsson" <[EMAIL PROTECTED]> Cc: "PHP-DEV" <[EMAIL PROTECTED]> Sent: Tuesday, March 05, 2002 12:12 PM Subject: Re: [PHP-DEV] New Module > it's much easier to detect a modification of a script instead of just a "cat > dbconf.php". no need to modify a script. if a hacker has access to your webserver, in most cases he will be able to access your db server too. if not, in case of your extension it shouldnt be hard for him creating a small script for looking up the data in your tempfolder, gaining the data, and deleting it this is from point of detection the same class as doing a cat dbconf.php the Point is: your extension is not changing security. btw: why you want to put it under GPL? most extensions have PHP License, that could conflict. regards, Peter Petermann -- Homepage: www.cyberfly.net PHP Usergroups: www.phpug.de - [EMAIL PROTECTED] PHP Infos: www.php-center.de - [EMAIL PROTECTED] VL-SRM Homepage: www.vl-srm.net - [EMAIL PROTECTED] -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
