phplib-users

[Phplib-users] php4 session saves whole obj properties, includeud db pass

[Giancarlo <gia...@na...>]

I am disappointed, again, in discovering that.
every property of the class is saves, and in each /tmp/sess_ there's 
everything for the connection,included puser an pass in cleartext.

phplib used to save only the persisten vars.

...my arms fall aside...

Gian

Re: [Phplib-users] php4 session saves whole obj properties, includeud db pass

[Michael C. <mdc...@mi...>]

On Wed, Sep 25, 2002 at 08:31:30PM +0200, Giancarlo wrote:
> I am disappointed, again, in discovering that.
> every property of the class is saves, and in each /tmp/sess_ there's 
> everything for the connection,included puser an pass in cleartext.
> 
> phplib used to save only the persisten vars.

I always erase passwords.

Michael
-- 
Michael Darrin Chaney
mdc...@mi...
http://www.michaelchaney.com/

Re: [Phplib-users] php4 session saves whole obj properties, includeud db pass

[Giancarlo <gia...@na...>]

Il 00:02, gioved=EC 26 settembre 2002, Michael Chaney ha scritto:
> On Wed, Sep 25, 2002 at 08:31:30PM +0200, Giancarlo wrote:
> > I am disappointed, again, in discovering that.
> > every property of the class is saves, and in each /tmp/sess_ there's
> > everything for the connection,included puser an pass in cleartext.
> >
> > phplib used to save only the persisten vars.
>
> I always erase passwords.
>

You mean you=20

unset ($db->Host);
unset ($db->User);
unset ($db->Database);
unset ($db->PAssword);

before page_close/freeze?

Gian

Re: [Phplib-users] php4 session saves whole obj properties, includeud db pass

[Michael C. <mdc...@mi...>]

On Wed, Sep 25, 2002 at 11:59:04PM +0200, Giancarlo wrote:
> Il 00:02, gioved=EC 26 settembre 2002, Michael Chaney ha scritto:
> > On Wed, Sep 25, 2002 at 08:31:30PM +0200, Giancarlo wrote:
> > > I am disappointed, again, in discovering that.
> > > every property of the class is saves, and in each /tmp/sess_ there's
> > > everything for the connection,included puser an pass in cleartext.
> > >
> > > phplib used to save only the persisten vars.
> >
> > I always erase passwords.
> >
>=20
> You mean you=20
>=20
> unset ($db->Host);
> unset ($db->User);
> unset ($db->Database);
> unset ($db->PAssword);
>=20
> before page_close/freeze?

I see no reason to make the $db variable persistent, and plenty of
reason to not do that.

Michael
--=20
Michael Darrin Chaney
mdc...@mi...
http://www.michaelchaney.com/

Re: [Phplib-users] php4 session saves whole obj properties, includeud db pass

[Giancarlo <gia...@na...>]

Il 00:29, gioved=EC 26 settembre 2002, Michael Chaney ha scritto:
> On Wed, Sep 25, 2002 at 11:59:04PM +0200, Giancarlo wrote:

> > > I always erase passwords.

> > You mean you=20
> >
> > unset ($db->Host);
> > unset ($db->User);
> > unset ($db->Database);
> > unset ($db->PAssword);
> >
> > before page_close/freeze?


> I see no reason to make the $db variable persistent, and plenty of
> reason to not do that.
>
> Michael

Oh yes.. Great!=20
Also I apprecieated when you suggested a good setup for Virtual host ini=20
settings.
Have to find that message back.


Gian=20

Re: [Phplib-users] php4 session saves whole obj properties, includeud db pass

[Maxim D. <max...@bo...>]

Hello Giancarlo,

Wednesday, September 25, 2002, 10:31:30 PM, you wrote:

G> I am disappointed, again, in discovering that.
G> every property of the class is saves, and in each /tmp/sess_ there's 
G> everything for the connection,included puser an pass in cleartext.

G> phplib used to save only the persisten vars.

PHP4 has a trick to avoid that. All the classes that can be fed to
serialize may define methods __sleep and __wakeup. __sleep is called
just before serialization, and __wakeup is called just after
unserialization. So, we should simply define those methods in Auth and
other classes that are meant to be persistent and use DB -
__sleep should unset db handle, __wakeup should define it.

-- 
Best regards,
Maxim Derkachev mailto:max...@bo...
IT manager,
Symbol-Plus Publishing Ltd.
phone: +7 (812) 324-53-53
www.books.ru, www.symbol.ru