lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <c2573e041105125371302fbe@mail.gmail.com> From: smp.repicky at gmail.com (Matt) Subject: How secure is PHP ? I was actually thinking of a way to incorporate it into an already existing network setup that they probably have. Most universities still run LDAP access to information for student directory purposes. It also is easy to authenticate against without requiring extra special permissions or having people register to use the website with new user accounts. Of course authenticating against an apache htpasswd is do-able. As far as storing the information, i forgot what the beginning of the posted question was and was going by what JB was saying instead of what Nayana first posted. If you're using a L-A-M-P system you could make separate users in the mysql database for each student. That would keep students from seeing each other's data. Depending how you want to set up tables and access rights becomes a database issue of design for grants and such, but it wouldn't be hard to make a new user in the database with a database script called by the php interface. Once a user is authenticated through LDAP then you know that it's not someone typing in their username incorrectly. If the user account exists in the database, you can allow the student back through to see their own data and edit, add, remove whatever you see that the project requires their access to be. If the user doesn't exist, you can then run a user creation script which gives predetermined roles and privs to the user. Remember it's all SQL anyways, just set up a file with the commands and then feed it the user and password from the php interface to create the user with specified password. Each student can get their own table for storing information in the database and then the database can take it all and bring it to a central store table accessible by someone with higher privs if that's part of what you're looking for. If you wanted to go deep enough, you could even write a php interface for the higher privileged user to access the data and see it all in pretty tables or graphs or however the information is to be displayed. -- On Fri, 5 Nov 2004 09:56:57 -0800 (PST), Gary E. Miller <gem@...lim.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Yo Matt! > > On Fri, 5 Nov 2004, Matt wrote: > > > There is actually a very easy way around this. If you are running an > > LDAP or AD environment, you can use the LDAP to authenticate the > > users, then once the user is authenticated, take the username and > > store that into a variable which you can then use to chown and chgrp > > the resulting files for that user after they are written. > > You do not need LDAP or AD for this. Apache can happyly validate > against the local /etc/password or an htpasswd file. Then use suexec to > get the perms right. All the config you need for this will fit nicely > in your httpd.conf. > > OTOH, you better have a better than average Apache Admin to noodle this > out. > > RGDS > GARY > - --------------------------------------------------------------------------- > Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 > gem@...lim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (GNU/Linux) > > iD8DBQFBi77s8KZibdeR3qURAn4zAJ9xRiylidDDHGYBE884sJNXI+UoZQCfRDQI > U0sA9qe1qBFL5ePS/N1wTwE= > =AIIz > -----END PGP SIGNATURE----- > >
Powered by blists - more mailing lists