Home > mailing lists

Re: Securing PHP scripts - Mailing list pgsql-php

From	scott.marlowe
Subject	Re: Securing PHP scripts
Date	August 19, 2003 16:04:12
Msg-id	Pine.LNX.4.33.0308190958050.9234-100000@css120.ihs.com Whole thread Raw
In response to	Re: Securing PHP scripts ("Cody Phanekham" <Cody.Phanekham@salmat.com.au>)
List	pgsql-php

Tree view

On Tue, 19 Aug 2003, Cody Phanekham wrote:

> I should of mentioned that the server is a dedicated PHP / PostgreSQL
> server, therefore no other user would have access to it.
>
> My only concern is *if* the server gets compromised, then the attacker
> would have access to the DB without too much effort.

If the server gets compromised, you've lost.  If they just get to execute
arbitrary code as the httpd user, you've lost, if they can execute
arbitrary code as root you've doubly lost.

Unless youre system is designed for anonymous database access to be
secure, you can't really protect it from a rogue web server.

pgsql-php by date:

From: Bruno Wolff III
Date: 19 August 2003, 15:58:27
Subject: Re: Authentication Failure with pg_pconnect

From: "scott.marlowe"
Date: 19 August 2003, 16:26:37
Subject: Re: Postgres connection

Re: Securing PHP scripts - Mailing list pgsql-php

Previous

Next