[wp-hackers] Security Vulnerability found - Forum Post

Amit Gupta amit at igeek.info
Thu Apr 14 21:31:15 GMT 2005


I know what you are trying to say & I know that once a variable is unset, it can't be accessed in the script anymore. But you didn't understand what I meant. What I was saying is that:-

1) what good it would do to unset the db vars? added security? no-one able to access db user/password?

2) the wp-config file is loaded on every page load in WordPress, right? so the variables are created everytime wp-config is loaded. you can ofcourse unset them as soon as they are loaded

3) the db user/password are still hardcoded in the wp-config file, so anyone having access to it can have them.

4) if wp-config is loaded everytime on a page load, then wouldn't it be better to check if a db connection exists or not? if the connection exists, then there's no need to load wp-config. however, if db connection doesn't exist, then it can be loaded. no?

hope I make myself clearer this time. :)

-----
Amit Gupta

|| Canned!! -- my Atropine || iG:Syntax Hiliter v2.01 ||
|| iGEEK.INFO || Free Nokia Ringtones || Online Gaming @ Games Planet || 




---------- Original Message from "Robert Deaton" <false.hopes at gmail.com> ----------
PHP has this nice feature for variables called unset. unset('varname') and you don't have to worry
about the rest of the script being able to access it. Call unset on the variables right after the
database connection is established and then it guarantees that you can't access them elsewhere
(minus inside the wpdb class if they're stored there, and if so, it could be made not to store them
there and not lose any functionality).

-- 
--Robert Deaton
http://somethingunpredictable.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://comox.textdrive.com/pipermail/wp-hackers/attachments/20050414/6b9871a6/attachment-0001.html


More information about the wp-hackers mailing list