RE: [PHP] Safety with PHP.

Mon, 02 Apr 2001 22:32:45 -0700 

Well, since I'm a newbie and also Norwegian it ain't that easy to explain
very simple.
What he did was that he entered a file that showed all the users of the
server, as I said, and he told me this was kindof insecure.
To prevent it he showed me a code that would help a bit.

$filename=str_replace("..","",$filename);
$filename=str_replace("/","",$filename);
$filename=str_replace("%20","",$filename);

He used /, .. and %20 to reach this file on my server.

/Marthe

-----Original Message-----
From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 03, 2001 7:44 AM
To: Marthe Kristiansen
Cc: Php-General
Subject: Re: [PHP] Safety with PHP.


Not much to go on here.  Basically don't do whatever it was you did.  And
yes, understanding the environment you are working in, both the OS and PHP
and whatever 3rd party stuff you hook PHP up to is the first step to
making stuff secure.

-Rasmus

On Tue, 3 Apr 2001, Marthe Kristiansen wrote:

> Hey you guys!
>
> I'm a new girl at this, and wondering on a question that might be simple
for
> you.
> Yesturday I started to learn PHP and proud I showed it to a friend of
mine,
> what I had learned.
> The first thing he did was check the safity of it and very easy he found
the
> list over all the users of the server, f.ex.
> I'm glad I didn't upload the new pages as frontpages yet =)
> What can I do to prevent this and how can I build the pages safer than
they
> are today?
> Perhaps it would be a good ide to learn basic Linux, I'm also considering
to
> buy another computer to use with Linux.
>
> Greetings,
> Marthe
>
> -http://www.marthe.com (under construction!)
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to