[CentOS] httpd - mysql - paypal.com.tar - hacker

Fri Aug 21 21:58:38 UTC 2009
R P Herrold <herrold at centos.org>

On Fri, 21 Aug 2009, Rainer Duffner wrote:

> Is there an alternative?

mysql at the command line works fine here

> Because there's no alternative.

There may be no GUI alternative but ignorance needs to be 
solved -- either with a setup wizard such as mediawiki (php 
GUI), or bugzilla (perl checking script), rather than handing 
out a loaded weapon with an un-proof'd breech.

I wrote a RFQ, part of which is after my sig, earlier this 
week.  Note item D that was in it.  If a package is reviewed 
by me, and is not doing all this, at a minimum, I'll not be 
considering running it exteriorly

-- Russ herrold


Deliverables:

A. php based well formed HTML, at W3C 4.0 or later with all 
sub scripts in a single directory, except the credentials 
file, which shall shall be php 'include()'-ed from a 
non-remotely accesible directory (eg, 
/var/www/credentials/memail/config.inc )

B. all input shall be validated, not to exceed a configurable 
length (ie support say up to 140 char field values but not 
longer), and to an allowed character set of:
         a-zA-Z0-9\.\,\-\_\+\@\SP

all email addresses downcased to lower -- perhaps obviously, 
\, and \SP are prohibited in email addresses LHS, and domains 
shall exist and be unexpired per an (optional if cached as 
live) whois test on the RHS at verification time

C. with a min 16 char hex hash session key (of a maximum 
configurable life) only externally visible, passed through a 
post or get, and any needed interior state solved in the 
database via that session key

D. MySQL-root account database setup script (with a versioned 
schema noted in a single row table.field: schema.version), and 
application level use of a separate [MySQL]userid [account] 
setup in a config file (with a php config file wizard, usually 
rm'd, mv'd or changed to perms 000, when in production, to 
emit a scrape and paste one), for access across a network to 
the backend store; the code shall confirm its absence or those 
these perms on the wizard script before initiating any 
connection to the database

E. delivered and packaged as a SRPM which builds non-root, and 
installs (at least) on a stock archive [base] and [updates] C5 
or later, currently updated