Hi guys,
I am creating a forum which has a config file and it this file I set database' username and password as well as many other constants. Then I get them by calling global $THE_VAR. Is it dangerous, I mean is there a way for an attacker to get these values? Is it the standart way of doing this(Setting a .config file)?
BTW, I have been doing so for years but today friend of mine(colleague) told me that it was not the best way.
global ...
Moderator: General Moderators
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Is the intent to make you application portable? If so, then it is a start. If not, then there is no reason to keep the DB credentials in a centralized, global data store. You could just as easily put the actual values in the connect call unless you are planning on using the values elsewhere. This is not necessarily the best practice, but it is an option. I tend to stay away from globalizing variables. There just seem something dirty about it to me.
Reply
Thank you guys. I must say that I do not have only database vars in the config file. I have others which have to do with the very script and that is why I decided not to describe them.
About the 'the' thank you onion2k for your advice but this was just an example and due to the fact that this was the first thing that came to my mind so I put it there. I do appreciate your remark.
Everah: I wonder which are better ways(If do you mind to tell us which they are) and I still have my question is it vulnerable to do it in the way I do it. If they are safe I will stick to them but otherwise I will have to do some fixes.
About the 'the' thank you onion2k for your advice but this was just an example and due to the fact that this was the first thing that came to my mind so I put it there. I do appreciate your remark.
Everah: I wonder which are better ways(If do you mind to tell us which they are) and I still have my question is it vulnerable to do it in the way I do it. If they are safe I will stick to them but otherwise I will have to do some fixes.
Reply
I will not. I put my config file one step above the root and it is .php(BTW I have read that if you set up you Web Server you can use ither extensions besdeses .php. Although it is possible I usually stick to what you have said.). Are therw any other vulnerabilites?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Yes, if you have access to your servers configuration you can tell it to parse whatever extensions you want through the PHP engine.
As for how you use your vars... I usually set up a file for constants (that will be included in the app) then put everything else into either a class (which will be its own file) or into a module used by the classes (modules are their own files as well). If the application is not used by anyone other me on my server, then I will put the DB credentials into my settings object as a default loaded at run time. If the app needs to be portable (like something that you plan on letting others download, for example) I will put the DB credentials into a separate file and include the file. I am not real big on this idea as the way most people do this is with either constants or regular vars that can be utilized by other parts of the app (and echoed) if they are not unset immediately after they are used for their purpose.
As for how you use your vars... I usually set up a file for constants (that will be included in the app) then put everything else into either a class (which will be its own file) or into a module used by the classes (modules are their own files as well). If the application is not used by anyone other me on my server, then I will put the DB credentials into my settings object as a default loaded at run time. If the app needs to be portable (like something that you plan on letting others download, for example) I will put the DB credentials into a separate file and include the file. I am not real big on this idea as the way most people do this is with either constants or regular vars that can be utilized by other parts of the app (and echoed) if they are not unset immediately after they are used for their purpose.
