Re: [PHP] hiding passwd in cmdlines that appear in the process list
Hi !.
I don't know if my solution is better or not. but in one of my programs i
had to make a backup online then my solution was to use shell vars to put
important information like db_password . When we use putenv function those
var only exists on the current shell and on its subshells. In your case the
following code :
&1');
?>
On 11/30/06, Jochem Maas <[EMAIL PROTECTED]> wrote:
Richard Lynch wrote:
> Don't use exec. ;-v
yeah - which is annoying because outside of php/exec() using the `cat
/path/2/myqyl/passwd`
trick works (i.e. ps doesn't give the passwd away)
thanks to everyone for there input - I have plenty to read/think about,
I send something back to the list when i have decided upon and tested a
working solutions
thanks everyone!
>
> Or, perhaps, write a shell script that reads the password and provides
> it to MySQL somehow without invoking another exec of some kind.
>
> You also could look into other MySQL authentication mechanisms such as
> SSL keys and whatnot -- which I only vaguely recall seeing somewhere
> in the MySQL docs.
>
> That might still end up with a PHP/world readable file that has a
> private key in it, but at least it requires the Bad Guy to take one
> more step to read said file.
>
> On Wed, November 29, 2006 6:10 am, Jochem Maas wrote:
>> I have been using exec() for a number of things recently - one of the
>> things
>> I'm using it for it to run mysql in order to import SQL scripts
>>
>> so I have some code that looks like:
>>
>> // build the cmdline
>> $cmd = sprintf('mysql -h %s --user=%s --password=`cat %s` -D %s <
>> "%s" 2>&1',
>>MYSQL_SERVER, MYSQL_ROOT_USER, $rootPasswdFile,
>>$data['db_name']['value'], $file);
>>
>> // run the mysql command via the cmdline
>> $output = array(); $exit = 0;
>> @exec($cmd, $output, $exit);
>>
>> everything works. but there is a security issue - one that I thought I
>> had
>> specifically tackled.
>>
>> the security issue occurs due to the fact that the process list (this
>> is
>> just linux I'm talking about) will show the complete command line,
>> which in
>> my case would look something like (in the processlist):
>>
>>
>> mysql -h localhost --user=admin --password=`cat
>> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>>
>>
>> AH I hear you say but the wily use of "`cat /my/sql/root/passwd/file`"
>> masks the actual
>> password from any looking in the process list. indeed undeer normal
>> shell scripting circumstances
>> that may have been true.
>>
>> BUT in using php's exec() to run the cmdline causes the following to
>> show up in the processlist:
>>
>>
>> sh -c mysql -h localhost --user=admin --password=`cat
>> /my/sql/root/passwd/file` -D somedb < "/my/import/script.sql" 2>&1
>>
>>
>> AND that [sub]shell then lists it's process[s] in the list also, there
>> is only one
>> and it is this:
>>
>>
>> mysql -h localhost --user=admin --password=MYFINGPWD -D somedb
>>
>>
>> does anyone have an idea how to over come this security issue (without
>> resorting to having to
>> type in the mysql admin passwd interactively!)
>>
>> thanks & regards,
>> Jochem
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] hiding passwd in cmdlines that appear in the process list
On 11/30/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Thu, November 30, 2006 9:59 am, Edwin Barrios wrote:
> I don't know if my solution is better or not. but in one of my
> programs i
> had to make a backup online then my solution was to use shell vars to
> put
> important information like db_password . When we use putenv function
> those
> var only exists on the current shell and on its subshells. In your
> case the
> following code :
>
>putenv("DBNAME=".DB_NAME);
> putenv("DBUSER=".DB_USER);
> putenv("DBPASSWD=".DB_PASSWD);
>
> system('mysql -h localhost --user=$DBUSER --password=$DBPASSWD -D
> $DBNAME
> < "/my/import/script.sql" 2>&1');
>
> ?>
This solution, as most good ones, has pros and cons:
Pro:
Does keep the password from being exposed in the normal course of
operations.
Con:
This is not triue because a shell vars declered on a shell is only exposed
to its subshells, that means that only exec's and system functions calls
into the php itself resive those vars declared into the php !
You can see this argument in the following code
?php
error_reporting(E_ALL);
echo "OLD ";
system("env");
echo "";
putenv("DBNAME=sidf");
putenv("DBUSER=p");
putenv("DBPASSWD=p");
echo "NEW ";
system("env");
echo "";
?>
and reloading these a couple of times.
A simple debug statement to dump out all of ENV / $_GLOBALS will
expose the password.
So you have to ask yourself if you and all your employees and all the
scripts you ever install, including any forums etc, are for sure never
ever going to dump that password out in an attempt to debug something
else.
For a solo developer or even a small team, with all custom hand-coded
stuff, this is pretty easy. But once your application blows up and
you have a larger team, or you start caving in to client demands to
install badly-written forums/carts/blogware, you are open to a
potential security hole which:
has two seemingly unrelated contributing causes
the two causes can be years apart in time
both are simple straight-forward "obvious" Right Things to do
So you have to weigh carefully the Risks, and DOCUMENT what you did
and DOCUMENT what *not* to do in the future to expose this sensitive
data.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
Re: [PHP] hiding passwd in cmdlines that appear in the process list
Hi .!
First of all . Pardon if my last mail was not undestable !!
Then Richrad said that, the following is a cons of my solution :
" A simple debug statement to dump out all of ENV / $_GLOBALS will expose
the password. So you have to ask yourself if you and all your employees
and all the scripts you ever install, including any forums etc, are for sure
never ever going to dump that password out in an attempt to debug something
else. " ...
This is not triue because a shell vars declered on a shell is only exposed
to its subshells, that means that only exec's and system functions calls
into the php itself resive those vars declared into the php !
You can see this argument in the following code
";
system("env");
echo "";
putenv("DBNAME=sidf");
putenv("DBUSER=p");
putenv("DBPASSWD=p");
echo "NEW ";
system("env");
echo "";
?>
and reloading these a couple of times.
Re: [PHP] Multi-threaded port listener
Hi. If you want a separate script execution, you can use inetd o xinetd to listen for you that port. When inetd got a connection execute your php script, one execution by connection. I think that it is more usefull to create your own responser server with php using forks !. But using inetd has the advantage that you can use tcpwrappers. On 4/28/06, René Fournier <[EMAIL PROTECTED]> wrote: Anyone find any good tutorials, code samples, etc. on such a thing? Basically, I want to write server (in PHP) that listeners on a particular port, and spins off a thread/process (essentially, execute a separate script) for each incoming connection. There won't be a lot of data to process, but there will be many simultaneous connections— upwards of 1000s of connections (each spun off as seperate threads). ...Rene
[PHP] Performace and segfault errors with Php5 + Apache 1.3.x + linux-2.6.x
i'am developing a web framework SifEngine (Secure Web Inteface framework) that implement MVC applaying the security ideas from http://phpsec.org. I'am using DomXML, Sqlite, Mcrypt and PostgreSql. After of post my development on the internet ( i have been thinking to post on PEAR ), i made simple tests of aplications with my framework. During the implementation, i used Slackware 10.1 with kernel 2.4.29 + php5.0.4 + Apache 1.3.2, with no problems. I didn't detect performace problems or segfaults by apache. Then i decided to do the same test but with kernel 2.6.10, wating that no problems occur. However my expectation, on this new configuration all the aplications develped with my framework, had performance issues or in the worst situation produce apache forks to be restarted, or a lot of apache forks. i don't undestand why this occur, i try to use valigrand to verify memorie lacks without results. Someone can help me, with this problem ! On this moment i'm using SIfEngine, to implement my proyects only on kernel 2.4.x ! Thanks ! Atte: Edwin Hernan Barrios Nuñez iBand Networks Ltda. www.iband.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] returning info. from a form selection
Hi . ! what you want it's recive values from a "select". !!! First a select input send ( when the form is submitted ), the value of the selected item, then the php script that it's the form action recive, a on post or get a variable with the name of the select input with this value. Then you have: This the html source Purchase Construct Home On the php source: That it's all. > > > On 8/1/05, Bruce Gilbert <[EMAIL PROTECTED]> wrote: > > can anyone give me an idea on how to return info. from a forl pulldown menu > > > > eg: > > > > > name="loan_process"> > >> selected="selected">Purchase > >> value="">Construct Home > > > > > > > > and return that to an email address. > > > > > > thanks > > > > > > > > -- > > ::Bruce:: > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Performace and segfault errors with Php5 + Apache 1.3.x + linux-2.6.x
i'am developing a web framework SifEngine (Secure Web Inteface framework) that implement MVC applaying the security ideas from http://phpsec.org. I'am using DomXML, Sqlite, Mcrypt and PostgreSql. After of post my development on the internet ( i have been thinking to post on PEAR ), i made simple tests of aplications with my framework. During the implementation, i used Slackware 10.1 with kernel 2.4.29 + php5.0.4 + Apache 1.3.2, with no problems. I didn't detect performace problems or segfaults by apache. Then i decided to do the same test but with kernel 2.6.10, wating that no problems occur. However my expectation, on this new configuration all the aplications develped with my framework, had performance issues or in the worst situation produce apache forks to be restarted, or a lot of apache forks. i don't undestand why this occur, i try to use valigrand to verify memorie lacks without results. Someone can help me, with this problem ! On this moment i'm using SIfEngine, to implement my proyects only on kernel 2.4.x ! Thanks ! Atte: Edwin Hernan Barrios Nuñez iBand Networks Ltda. www.iband.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Performace and segfault errors with Php5 + Apache 1.3.x + linux-2.6.x
I compile the vanilla kernel from kernel.org, linux-2.6.10 , and i'am using apache 1.3.3. My php congifigurations are: './configure' '--with-apxs' '--with-pgsql' '--with-mysql' '--with-opennssl' '--with-zlib' '--with-bz2' '--enable-calendar' '--with-curl' '--with-curlwarppers' '--enable-ftp' '--with-gettext' '--with-mcrypt' '--enable-pcntl' '--enable-soap' '--enable-sockets' '--enable-sqlite-utf8' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--enable-shmop' '--with-xsl' '--enable-maintainer-zts' '--with-tsrm-pthreads' Then, i don't know what it's happing. On 8/1/05, Greg Donald <[EMAIL PROTECTED]> wrote: > On 8/1/05, Edwin Barrios <[EMAIL PROTECTED]> wrote: > > i'am developing a web framework SifEngine (Secure Web Inteface > > framework) that implement MVC applaying the security ideas from > > http://phpsec.org. I'am using DomXML, Sqlite, Mcrypt and PostgreSql. > > > > After of post my development on the internet ( i have been thinking > > to post on PEAR ), i made simple tests of aplications with my > > framework. During the implementation, i used Slackware 10.1 with > > kernel 2.4.29 + php5.0.4 + Apache 1.3.2, with no problems. I didn't > > detect performace problems or segfaults by apache. Then i decided to > > do the same test but with kernel 2.6.10, wating that no problems > > occur. However my expectation, on this new configuration all the > > aplications develped with my framework, had performance issues or in > > the worst situation produce apache forks to be restarted, or a lot of > > apache forks. > > > > i don't undestand why this occur, i try to use valigrand to verify > > memorie lacks without results. > > > > Someone can help me, with this problem ! > > > > On this moment i'm using SIfEngine, to implement my proyects only on > > kernel 2.4.x ! > > Any exotic security patches been applied to the kernel that is having issues? > > I have PHP5, Apache2 on a 2.6.8 kernel with no issues. It may be that > you have a non-thread-safe library added to your Apache/PHP setup. > Apache 1.3.x is still the Apache of choice last I heard. > > > -- > Greg Donald > Zend Certified Engineer > MySQL Core Certification > http://destiney.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Performace and segfault errors with Php5 + Apache 1.3.x + linux-2.6.x
Yes i'm using a lot of nested loops with __call(), because of dom did'nt support parse not well formated html, i decided to develop my html templates class iTemp, and i used a combinatios of foreach ( iterator implementention ) and __call +__get to create a inherity tree like dom. But i don't undestand, why only changing the kernel from 2.6.x => 2.4.x all my problems were solved magically ? On 8/4/05, Matthew Weier O'Phinney <[EMAIL PROTECTED]> wrote: > * Edwin Barrios <[EMAIL PROTECTED]>: > > i'am developing a web framework SifEngine (Secure Web Inteface > > framework) that implement MVC applaying the security ideas from > > http://phpsec.org. I'am using DomXML, Sqlite, Mcrypt and PostgreSql. > > > > After of post my development on the internet ( i have been thinking > > to post on PEAR ), i made simple tests of aplications with my > > framework. During the implementation, i used Slackware 10.1 with > > kernel 2.4.29 + php5.0.4 + Apache 1.3.2, with no problems. I didn't > > detect performace problems or segfaults by apache. Then i decided to > > do the same test but with kernel 2.6.10, wating that no problems > > occur. However my expectation, on this new configuration all the > > aplications develped with my framework, had performance issues or in > > the worst situation produce apache forks to be restarted, or a lot of > > apache forks. > > > > i don't undestand why this occur, i try to use valigrand to verify > > memorie lacks without results. > > Are you using __call() or any of the other overloading methods? I had a > situation several months ago where __call() was going into an infinite > loop and causing segfaults. Once I tracked that down and fixed it, > everything worked fine. > > -- > Matthew Weier O'Phinney > Zend Certified Engineer > http://weierophinney.net/matthew/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Inherit Methods
Hi !
you have to defined protected $var.
This is a example where php5 OO model has a little ambiguities.
Thing a few in your problem !, on de child class scope $var it's
private then when yo execute printVar(), you aren't executed on parent
scope you are calling a copie on child scope, then you don't have
access to $var. Only when you use parent scope throw
parent::printVar() , you realy calling the parent class instance into
your child then print result.
Then when you want to have a variable for being used on a public
inherit method you have to defined protected
On 8/8/05, Norbert Wenzel <[EMAIL PROTECTED]> wrote:
> Is it possible to run inherited methods in the scope of the child class?
> In my case I have an abstract class called 'Company' and some child
> classes. There is a non abstract function in 'Company' which prints
> '$this->phoneList'. That function should be the same to all child
> classes, without rewritting it in every class.
>
> I call the printing method via the child class like
> $childObject->printPhoneList();
> The call seems to be handed over to the parent class 'Company' which is
> fine. But the $this points to the phoneList of the abstract parent
> class. So the phoneList in the abstract class seems to be unset, since i
> have set the phone list in the child class.
>
> Here's a short example, showing what I mean:
>
>
> abstract class AbstractClass {
>
> private $var;
>
> public function printVar() {
> echo('var: ' . $this->var . '');
> }
>
> }
>
> class ConcreteClass extends AbstractClass {
>
> public function __construct($var) {
> $this->var = $var;
> }
>
> public function printVarChild() {
> echo('var (child): ' . $this->var . '');
> }
>
> }
>
> $cl = new ConcreteClass(15);
> $cl->printVar();
> $cl->printVarChild();
> ?>
>
> Output is:
> var:
> var (child): 15
>
>
> Has anyone an idea how to print the $var of the child, without copying
> the method in every child class?
>
> thanks in advance,
> Norbert
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Where can i find docs to create a php5 extensions with OOP as SimpleXML?
Hi, I'm a PHP web programing, but i wanna learn how to develop php5 extensions. I found php5 a good language to apply Objects programing, and it has very usefull examples of OO extensions as SimpleXML, DOM, Sqlite; for this reason i wanna develope my extension following those styles of API's . I've read some docs about creating a php extension that appears as new functions on PHP, but i can't find info to develop extensions that appear as classes on PHP . Thanks for your help. I'm really interested on this topic, especially to collaborate in PHP extension projects as wxPHP.
Re: [PHP] Where can i find docs to create a php5 extensions with OOP as SimpleXML?
Hi, David I suggest you take a lookn at > > http://www.zend.com/php5/articles/php5-xmlphp.php > > david > > Thanks for your suggestion, but i wanna info about programming extension in C/C++.
[PHP] how to create a php5 extensions on C/C++, reflecting php Class Api's ?
Hi,I'm a PHP web programing, but i wanna learn how to develop php5 extensions on C/C++. I found php5 a good language to apply Objects programing, and it has very usefull examples of OO extensions as SimpleXML, DOM, Sqlite; for this reason i wanna develope my extension following those styles of API's . I've read some docs about creating a php extension that appears as new functions on PHP, but i can't find info to develop extensions that appear as classes on PHP . Thanks for your help. I'm really interested on this topic, especially to collaborate in PHP extension projects as wxPHP.
Re: [PHP] how to create a php5 extensions on C/C++, reflecting php Class Api's ?
Hello Gustavo. ! Thanks for your suggestion, that book it's a interesting material to learn more advanced features of PHP5 and to begin on the C extentions world. The chapter 15 only take a look to extends PHP5 funtions, but there is none section on how to create a PHP5 Class on the C extentions. Do you know how to do that ? On 12/27/05, Gustavo Narea <[EMAIL PROTECTED]> wrote: > > Hello, Edwin. > > > > I think that in chapter #15 of "PHP 5 Power Programming" you're going to > find what you are looking for. > > Saludos! > > -- > Gustavo Narea. > PHP Documentation - Spanish Translation Team. > Valencia, Venezuela. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] Using GPG in Safe Mode
Hi emil ! If you are using gnupg comand line, there is not way on PHP-safe mode. The only way that i know to wrap around this problem it's install pecl extension package calls gnupg (http://pecl.php.net/package/gnupg). This extension use libgpgme that bind all gnupg comand line options, then it don't have problems with safe mode. i don't know if this tips it's useful in your case, but it's the only solutions that i know. On 1/16/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > Hello, > > My ISP have php set for safe mode. And now I'm trying to run gpg from php. > > Basically I'm trying to run this from exec(): > echo "testar testar" | /usr/local/bin/gpg --homedir /home/myuser/ .gnupg > -a --always-trust --batch --no-secmem-warning -e -u "Test Test > " -r "Test Test < > test@test.com>" > > When I run it from cli myself it works fine, but it fails when I run it > from php. Are there anyway I can get this to work? > > Sorry if this is OT or an obvious question. > > /Regards Emil > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] Re: Using GPG in Safe Mode
Hi, emil Using "safe_mode_exec_dir", it's a solution if you has access to your php.ini or http.conf, because it's a PHP_INI_SYSTEM var. For these reason you can't set this var with ini_set() function on a php script. If your ISP has a very restricted setting, i think that the solutions that "comex" comments it's a good one, it'sn't my prefered solution by security issues. P.S.D i never have proved if setting PHP_INI_SYSTEM vars it's posible on a .htacces file. On 1/18/06, M <[EMAIL PROTECTED]> wrote: > > [EMAIL PROTECTED] wrote: > > Hi Edwin! > > > > Thanks for the tips but my ISP hasn't given me root. I'm very sad to > hear gpg from cli won't work under safe mode. Are there any 100% php > implementations of GPG I could use? (because I guess that is the only way > that is left?) > > > > /Emil > > > > > >>If you are using gnupg comand line, there is not way on PHP-safe mode. > >>The only way that i know to wrap around this problem it's install pecl > extension package > > > > there is a way. if gpg binary is in safe_mode_exec_dir > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
