[Typo3-dev] defined vars

Ingmar Schlecht ingmar at typo3.org
Thu Oct 21 00:59:33 CEST 2004


Ernesto Baschny schrieb:
> If you install an extension locally it can do much worse than that.

That's exactly what I thought when reading the posting.

The fact that TYPO3 knows its database password is really just more than 
obvious. How should it connect to the DB otherwise?

And, face it: All of you already knew the password was stored in 
typo3conf/localconf.php.

So by just include()ing that file that evil extension programmer 
would've got your DB password easily anyway.

Bottom line is: Don't execute any PHP code that you don't trust.
And: Secure your MySQL so it can't be accessed from outside.

cheers,
Ingmar




More information about the TYPO3-dev mailing list