[RESOLVED] Securty question

shawjames

I have an array that is fetched from MySQL. Some of the array elements are output to an html page. Is it possible for someone to somehow access the information stored in the array?

The page is not secure.

This would be a simple example:

<?php
$arr[info1] = "secret";
$arr[info2] = "info to print";

print $arr[info2];
// is it possible for someone to view $arr[info1]?
?>

Oni

Im pretty sure its perfectly safe. (Not exactly sure because there could always be a hole in the rest if your script)

shawjames

Could you give me an example of what a hole could be?

I could imagine a hole would be the array element printed somewhere else in the page, such as a comment area or header... which would mean it wont show on the page view, but it would in the source code.

Any other common holes?

Piranha

I don't understand why you even store the secret information in an array. Or why you get it from the database. But ok, if you use it somewhere else in the script there is a reason to store the value.

To your real question. This seems perfectly safe. Some things could happen, but it should not affect that value. What can happen is basically:
1. Everything works as it is supposed to be. The value is not visible.
2. The webserver does not work. Nothing is shown to the user or parsed, perfectly safe.
3. PHP does not work. The user will see the PHP code, but since it does not work they can't see what value it should be.
4. The RDBMS does not work. The array will be empty.

Other security threats are for example database injection, poor passwords, passwords that can be seen by the users and settings that compromizes the server. Also to output error messages to the client on the production server is a security risk.