[wp-hackers] Keeping database connection info safe

Dave Grijalva grijalva at gmail.com
Sat Feb 25 00:37:22 GMT 2006 

I agree with this.  It could be argued that you should only install plugins
from users you trust or that you should view the source of a plugin before
installing it, but that's not really good enough.  Since the db password has
to be stored in the config file in cleartext, I think there really needs to
be a way to wipe it once the db is connected.

The only problems I see with this is that the config file can always just be
included again, or even opened and parsed by the malicious plugin.  Also, if
the connect info is removed from the memory, there would be no way to
reconnect to the db if the connection is severed, though I don't know if
there is even support for this in the wp core code.

A better way to do this with php5 is to use private member variables and a
setter function, but I don't think there is a PHP4 equivalent.  Can anybody
out there think of a PHP4 compatible way to secure that data?

-dave

On 2/24/06, Joseph Scott <joseph at randomnetworks.com> wrote:
>
>
> I've been thinking about WordPress plugins and came up some issues on
> keeping database connection information safe.  In wp-config.php all
> of the details needed to connect to the MySQL database are defined()
> as constants.  This makes it very easy for the $wpdb object to do its
> thing.  But once the database connection has been established, do we
> really need to have those constants still floating around?
>
> It would be very easy to include some malicious code in a plugin that
> would attempt to email out those details to "bad people".  So my
> first thought was to simply undefine the database connection info
> once a successful database connection has been established.  It
> doesn't look like this is possible though, according to the PHP
> constants docs (at http://us2.php.net/manual/en/
> language.constants.php).  Once a constant has been defined it can
> never, ever be changed or undefined, hence the term constant :-)
>
> So perhaps there should be some discussion on setting the database
> connection information in a way that can be latter undefined once the
> database connection has been established.  May be something as simple
> as an array?  Something like:
>
> $db_info["host"] = "localhost";
> $db_info["user"] = "awesome";
> $db_info["password"] = "133t";
> $db_info["name"] = "cool_blog";
>
> After the database connection is done a call to unset($db_info) or
> $db_info = "" or $db_info = array() would be enough to zap that info.
>
> I realize there is a certain amount of trust when a user activates a
> plugin and there isn't really a way to prevent a plugin from shooting
> a user in the foot, but we can take some small steps to eliminate the
> potential risks.  No this won't prevent a plugin from trashing a
> database (since they'll still have access to the database
> connection), but it could prevent sensitive data from getting out.
>
> Comments, thoughts, ideas?
>
> --
> Joseph Scott
> joseph at randomnetworks.com
> http://joseph.randomnetworks.com/
>
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list