global ...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

global ...

Post by user___ »

Hi guys,
I am creating a forum which has a config file and it this file I set database' username and password as well as many other constants. Then I get them by calling global $THE_VAR. Is it dangerous, I mean is there a way for an attacker to get these values? Is it the standart way of doing this(Setting a .config file)?
BTW, I have been doing so for years but today friend of mine(colleague) told me that it was not the best way.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Is the intent to make you application portable? If so, then it is a start. If not, then there is no reason to keep the DB credentials in a centralized, global data store. You could just as easily put the actual values in the connect call unless you are planning on using the values elsewhere. This is not necessarily the best practice, but it is an option. I tend to stay away from globalizing variables. There just seem something dirty about it to me.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

global is something best avoided if you can help it.

Also, variable names should never have 'the' in them. It indicates a poor naming scheme.
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

Thank you guys. I must say that I do not have only database vars in the config file. I have others which have to do with the very script and that is why I decided not to describe them.

About the 'the' thank you onion2k for your advice but this was just an example and due to the fact that this was the first thing that came to my mind so I put it there. I do appreciate your remark.

Everah: I wonder which are better ways(If do you mind to tell us which they are) and I still have my question is it vulnerable to do it in the way I do it. If they are safe I will stick to them but otherwise I will have to do some fixes.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

Avoid using config files with extensions different from .php, because if they are left below the htdocs root unprotected, an attacker can request them from his browser...

Image
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

I will not. I put my config file one step above the root and it is .php(BTW I have read that if you set up you Web Server you can use ither extensions besdeses .php. Although it is possible I usually stick to what you have said.). Are therw any other vulnerabilites?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Yes, if you have access to your servers configuration you can tell it to parse whatever extensions you want through the PHP engine.

As for how you use your vars... I usually set up a file for constants (that will be included in the app) then put everything else into either a class (which will be its own file) or into a module used by the classes (modules are their own files as well). If the application is not used by anyone other me on my server, then I will put the DB credentials into my settings object as a default loaded at run time. If the app needs to be portable (like something that you plan on letting others download, for example) I will put the DB credentials into a separate file and include the file. I am not real big on this idea as the way most people do this is with either constants or regular vars that can be utilized by other parts of the app (and echoed) if they are not unset immediately after they are used for their purpose.
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

Thank you guys.
Post Reply