Absolute Path stored in Environment Variable

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ctrLogicDotNet
Forum Newbie
Posts: 24
Joined: Fri Jul 24, 2009 10:52 am

Absolute Path stored in Environment Variable

Post by ctrLogicDotNet »

Here is the thing,

I have my own dedicated server and intend to put future customers on shared hosting on it.
Some of the customers will be using PHP code we built and located in a folder which is placed likely to PEAR folder and all, and some other customers won't have access to this PHP code.
I've added the absolute path of this folder in the php.ini,
I've added an environement variable containing the absolute path from the shell,
and made environment variables accessible by changing this in the php.ini: variables_order = "EGPCS" instead of "GPCS"

My question is:

Will the last step be a security issue on a shared hosting server, if yes, what will that be?
And if any other security issues should be considered, you would be kind to let me know.

Thank You
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Absolute Path stored in Environment Variable

Post by kaisellgren »

I don't think you even need that E to be there. The letter S stands for $_SERVER and if you have this code in a .htaccess:

Code: Select all

SetEnv foo bar
Then you can access it through $_SERVER['foo']. No need for E's ($_ENV).
ctrLogicDotNet
Forum Newbie
Posts: 24
Joined: Fri Jul 24, 2009 10:52 am

Re: Absolute Path stored in Environment Variable

Post by ctrLogicDotNet »

Thank You for the hint

So the way I understand this, if it is available for anybody via .htaccess on a shared server, there can't be any security issues?
But now the thing is, I don't want to include .htaccess files on every customer accounts for this absolute_path variable to be available, I want it to be accessible directly from php...

Anyway to include a variable directly in $_SERVER variables?
ctrLogicDotNet
Forum Newbie
Posts: 24
Joined: Fri Jul 24, 2009 10:52 am

Re: Absolute Path stored in Environment Variable

Post by ctrLogicDotNet »

Guess I could do it directly by configuring php.ini:
  • auto_prepend_file = "path_of_file_to_be_executed";
and add a script name to be executed at every start containing this:
  • $_SERVER['path_I_want_to_be_added'] = 'whatever';
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Absolute Path stored in Environment Variable

Post by kaisellgren »

I'm no Apache/HTTPD expert, but can't you do this "SetEnv" automatically for each HTTP request? I think there is a way to do it globally so that no .htaccess needed.

Also, how and when would someone use this $_SERVER variable in PHP code?
Post Reply