[Typo3-dev] defined vars
Arne Skjaerholt
skjaerho at cpi.no
Wed Oct 20 17:05:40 CEST 2004
> So what do you suggest to minimize the problem?
I think what Tonni was trying to suggest is that the password var should
be unset() after the connection to the DB has been established. However
leaking the DB password shouldn't be a major security problem as the DB
server should only accept connections from the webserver at any rate,
and Typo3 should connect as a unprivileged user who has access to the
Typo3 DB -only- (and the DB root password should be different from the
sysrtem root password at anyrate). However I really can't see any
practical use for the DB passwd being available to the extensions.
Arne
:wq
More information about the TYPO3-dev
mailing list