[Typo3-dev] defined vars
Martin Poelstra
martin at beryllium.net
Wed Oct 20 18:32:33 CEST 2004
> I think what Tonni was trying to suggest is that the password var should
> be unset() after the connection to the DB has been established.
As Ernesto already stated, it doesn't make a difference if you just unset()
the constants, vars, or whatever, because you can always simply
file_get_contents(PATH_typo3conf.'localconf.php') (or something).
They only way is to
A) make sure your MySQL-server doesn't accept connections from the
mysql-typo3-user from any other host than localhost (or the webserver(s))
and
B) check the sourcecode of the extensions you download for 'malicious' code.
Some work to do this has already been discussed many times before, but IIRC
it never really started
Grtz,
Martin
More information about the TYPO3-dev
mailing list