Complete.Org: Mailing Lists: Archives: linux-help: December 2000:
[linux-help] Re: Linux Apps 		Home

[linux-help] Re: Linux Apps

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: linux-help@xxxxxxxxx
Subject: [linux-help] Re: Linux Apps
From: Steven Saner <ssaner@xxxxxxxxxxxxxxx>
Date: Fri, 8 Dec 2000 14:39:05 -0600
Reply-to: linux-help@xxxxxxxxx 
On Fri, Dec 08, 2000 at 02:24:52PM -0600, Jesse Kaufman wrote:
> 
> On Fri, 8 Dec 2000, Steven Saner wrote:
> 
> > A concern I have that maybe someone has dealt with, is running PHP with
> > Postgres (or MySQL) on a server used by muliple people/customers,
> > whatever. You can set up a seperate database on the Postgres/MySQL
> > server for each customer, but how do you keep one customer from
> > messing with another customer's database. You can put a password on
> > the database, but how do you store the password in a secure fashion so
> > your PHP script can send it to the backend when you try to make a
> > connection?
> 
> maybe this is over-simplified, but could you store the db passwd as an
> encoded string and use the base64_decode() function to read it?  granted,
> you'd have to first use the base64_encode() function to get the encoded
> string to store, but that's not hard...  i use this in one of my script to
> base64-encode an e-mail address and use it as part of the URL
> (...?Reply=<encode_string>) so that i can send the URL to someone and
> retrieve/decode the e-mail address from $HTTP_GET_VARS without the
> customer ever knowing what the e-mail address is...
> 
> another way you could do it is prompt for a passwd, then encript it and
> compare it to a stored encrypted passwd (there's some function that
> encrypts a string that cannot be decrypted w/ a PHP function)...
> 
> just some thoughts...

The problem is that since PHP runs as the same user (what ever the web
server uses) for all users, you could easily write a PHP script that
goes into another users directory and search for stuff, like
passwords, and functions for how they are used. It would be security
by obscurity (which is good enough for Microsoft I guess...).

You could solve the problem by requiring a password at a prompt, but
you don't always want to do that. Say a shopping cart application that
the general public uses.

Granted this concern requires that there are malicious users on the
same server as you... not that far fetched.


> --
> Jesse Kaufman                           |       WebSurf Internet Access
> Administration / Web Development        |       www.websurf.net
> glandix@xxxxxxxxxxx                     |       Ph: 316.945.7873
> www.linuxfreak.com/~glandix             |       Fax: 316.946.9944
> --
> 
> <<< Vim is a REAL man's text editor.  I don't know why anyone else would
>     even bother with sissy programs like emacs, or even worse...  pico!  >>>
> 
> 
> 
> 
> 
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi

-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
[Prev in Thread] Current Thread [Next in Thread]