[xdebug-general] Re: excluding code or variables possible? from Werner Flamme on 2012-06-25 (Xdebug General List)

From: Werner Flamme <werner.flamme[@]ufz.de>
Date: Mon, 25 Jun 2012 18:36:48 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Derick Rethans [25.06.2012 18:14]:
> On Mon, 25 Jun 2012, Werner Flamme wrote:
>
>> In this environment it would be nice, if xdebug would not look at
>> some functions and at some variables, because - if it does -
>> every developer can see the secret passwords for the databese
>> connections...
>>
>> Is there any possibility to tell xdebug *not* to show (or
>> analyse) the content of certain functions and/or variables? For
>> security reasons, this should be configured on the server side.
>
> They can see that anyway with normal PHP code. Xdebug can not show
> more than what you would be able to access through PHP code
> statements (think eval f.e.). So no, there is currently no way to
> do this, and this is also that I am not interested in added either.
> I'd be security by obscurity anyway...

How can they see that? The do not have the PHP code (it's stored in
SVN, access via user/pw only). Since only 3 or 4 developers are
granted access to this "verycore" library, I do not see "security by
obscurity". Except, of course, that every hiding away of anything is
defined as sbo.

Is there a chance that I can read the source code of a function just
by invoking PHP methods, right out of memory, because I do not know
the file name and directory of the code? Or do I have to include a
file manager in the code, tap through every directory, open every PHP
source file?

If you say that there is no way to have xdebug hide some code or
variables away, it's OK. Then the answer to my question ist "no". So
we will not use xdebug in this environment. I'm sad about it, but I
can't change it.

Thank you very much for the answer!

Best Regards,
Werner

- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/ok6AACgkQk33Krq8b42NeEQCfXFzsx3dmbWDoLT+7lVAX7yka
EnAAn1bD1p8Ek6s15RjPZ4+FjSZm7PSj
=ZD7Q
-----END PGP SIGNATURE-----
Received on Mon Jun 25 2012 - 17:36:49 BST

This archive was generated by hypermail 2.2.0 : Mon Jun 25 2018 - 06:00:04 BST