[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] How secure is PHP ?



I was actually thinking of a way to incorporate it into an already
existing network setup that they probably have.  Most universities
still run LDAP access to information for student directory purposes. 
It also is easy to authenticate against without requiring extra
special permissions or having people register to use the website with
new user accounts.  Of course authenticating against an apache
htpasswd is do-able.

As far as storing the information, i forgot what the beginning of the
posted question was and was going by what JB was saying instead of
what Nayana first posted.  If you're using a L-A-M-P system you could
make separate users in the mysql database for each student.  That
would keep students from seeing each other's data.  Depending how you
want to set up tables and access rights becomes a database issue of
design for grants and such, but it wouldn't be hard to make a new user
in the database with a database script called by the php interface.

Once a user is authenticated through LDAP then you know that it's not
someone typing in their username incorrectly.  If the user account
exists in the database, you can allow the student back through to see
their own data and edit, add, remove whatever you see that the project
requires their access to be.  If the user doesn't exist, you can then
run a user creation script which gives predetermined roles and privs
to the user.  Remember it's all SQL anyways, just set up a file with
the commands and then feed it the user and password from the php
interface to create the user with specified password.

Each student can get their own table for storing information in the
database and then the database can take it all and bring it to a
central store table accessible by someone with higher privs if that's
part of what you're looking for.

If you wanted to go deep enough, you could even write a php interface
for the higher privileged user to access the data and see it all in
pretty tables or graphs or however the information is to be displayed.


--

On Fri, 5 Nov 2004 09:56:57 -0800 (PST), Gary E. Miller <gem@xxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Yo Matt!
> 
> On Fri, 5 Nov 2004, Matt wrote:
> 
> > There is actually a very easy way around this.  If you are running an
> > LDAP or AD environment, you can use the LDAP to authenticate the
> > users, then once the user is authenticated, take the username and
> > store that into a variable which you can then use to chown and chgrp
> > the resulting files for that user after they are written.
> 
> You do not need LDAP or AD for this.  Apache can happyly validate
> against the local /etc/password or an htpasswd file.  Then use suexec to
> get the perms right.  All the config you need for this will fit nicely
> in your httpd.conf.
> 
> OTOH, you better have a better than average Apache Admin to noodle this
> out.
> 
> RGDS
> GARY
> - ---------------------------------------------------------------------------
> Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
>         gem@xxxxxxxxxx  Tel:+1(541)382-8588 Fax: +1(541)382-8676
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> 
> iD8DBQFBi77s8KZibdeR3qURAn4zAJ9xRiylidDDHGYBE884sJNXI+UoZQCfRDQI
> U0sA9qe1qBFL5ePS/N1wTwE=
> =AIIz
> -----END PGP SIGNATURE-----
> 
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html