[CentOS] httpd - mysql - paypal.com.tar - hacker
R P Herrold
herrold at centos.org
Fri Aug 21 21:58:38 UTC 2009
On Fri, 21 Aug 2009, Rainer Duffner wrote:
> Is there an alternative?
mysql at the command line works fine here
> Because there's no alternative.
There may be no GUI alternative but ignorance needs to be
solved -- either with a setup wizard such as mediawiki (php
GUI), or bugzilla (perl checking script), rather than handing
out a loaded weapon with an un-proof'd breech.
I wrote a RFQ, part of which is after my sig, earlier this
week. Note item D that was in it. If a package is reviewed
by me, and is not doing all this, at a minimum, I'll not be
considering running it exteriorly
-- Russ herrold
Deliverables:
A. php based well formed HTML, at W3C 4.0 or later with all
sub scripts in a single directory, except the credentials
file, which shall shall be php 'include()'-ed from a
non-remotely accesible directory (eg,
/var/www/credentials/memail/config.inc )
B. all input shall be validated, not to exceed a configurable
length (ie support say up to 140 char field values but not
longer), and to an allowed character set of:
a-zA-Z0-9\.\,\-\_\+\@\SP
all email addresses downcased to lower -- perhaps obviously,
\, and \SP are prohibited in email addresses LHS, and domains
shall exist and be unexpired per an (optional if cached as
live) whois test on the RHS at verification time
C. with a min 16 char hex hash session key (of a maximum
configurable life) only externally visible, passed through a
post or get, and any needed interior state solved in the
database via that session key
D. MySQL-root account database setup script (with a versioned
schema noted in a single row table.field: schema.version), and
application level use of a separate [MySQL]userid [account]
setup in a config file (with a php config file wizard, usually
rm'd, mv'd or changed to perms 000, when in production, to
emit a scrape and paste one), for access across a network to
the backend store; the code shall confirm its absence or those
these perms on the wizard script before initiating any
connection to the database
E. delivered and packaged as a SRPM which builds non-root, and
installs (at least) on a stock archive [base] and [updates] C5
or later, currently updated
More information about the CentOS
mailing list