Page 1 of 1

global ...

Posted: Fri Feb 23, 2007 2:24 pm
by user___
Hi guys,
I am creating a forum which has a config file and it this file I set database' username and password as well as many other constants. Then I get them by calling global $THE_VAR. Is it dangerous, I mean is there a way for an attacker to get these values? Is it the standart way of doing this(Setting a .config file)?
BTW, I have been doing so for years but today friend of mine(colleague) told me that it was not the best way.

Posted: Fri Feb 23, 2007 2:28 pm
by RobertGonzalez
Is the intent to make you application portable? If so, then it is a start. If not, then there is no reason to keep the DB credentials in a centralized, global data store. You could just as easily put the actual values in the connect call unless you are planning on using the values elsewhere. This is not necessarily the best practice, but it is an option. I tend to stay away from globalizing variables. There just seem something dirty about it to me.

Posted: Fri Feb 23, 2007 2:32 pm
by onion2k
global is something best avoided if you can help it.

Also, variable names should never have 'the' in them. It indicates a poor naming scheme.

Reply

Posted: Fri Feb 23, 2007 2:51 pm
by user___
Thank you guys. I must say that I do not have only database vars in the config file. I have others which have to do with the very script and that is why I decided not to describe them.

About the 'the' thank you onion2k for your advice but this was just an example and due to the fact that this was the first thing that came to my mind so I put it there. I do appreciate your remark.

Everah: I wonder which are better ways(If do you mind to tell us which they are) and I still have my question is it vulnerable to do it in the way I do it. If they are safe I will stick to them but otherwise I will have to do some fixes.

Posted: Fri Feb 23, 2007 3:05 pm
by Mordred
Avoid using config files with extensions different from .php, because if they are left below the htdocs root unprotected, an attacker can request them from his browser...

Image

Reply

Posted: Fri Feb 23, 2007 3:14 pm
by user___
I will not. I put my config file one step above the root and it is .php(BTW I have read that if you set up you Web Server you can use ither extensions besdeses .php. Although it is possible I usually stick to what you have said.). Are therw any other vulnerabilites?

Posted: Fri Feb 23, 2007 5:17 pm
by RobertGonzalez
Yes, if you have access to your servers configuration you can tell it to parse whatever extensions you want through the PHP engine.

As for how you use your vars... I usually set up a file for constants (that will be included in the app) then put everything else into either a class (which will be its own file) or into a module used by the classes (modules are their own files as well). If the application is not used by anyone other me on my server, then I will put the DB credentials into my settings object as a default loaded at run time. If the app needs to be portable (like something that you plan on letting others download, for example) I will put the DB credentials into a separate file and include the file. I am not real big on this idea as the way most people do this is with either constants or regular vars that can be utilized by other parts of the app (and echoed) if they are not unset immediately after they are used for their purpose.

Reply

Posted: Sat Feb 24, 2007 9:11 am
by user___
Thank you guys.