Marthe,
How was the script executed and under what user privileges? Was it executed
by a client from a browser or was it executed directly from the command
line?
PHP is a server-side scripting language (that can also be configured to
execute as a standalone language). Your clients should not be able to create
PHP scripts and execute them. Only programmers of the system should be able
to create scripts. PHPs ability to access existing files and create new
files on the system is a good thing; but you, as the programmer, must ensure
that file permissions are set correct and that passwords to privileged
accounts are protected.
One of the biggest "pitfalls" or "gotchas" are misconfigured systems and
applications. For example, what user/group is your web server running as?
The web page creation and presentation are only one aspect of designing a
secure site. Even some of the "Big" sites can have problems...Apache.org
comes to mind, which was compromised not by bugs in any system, but by a
simple misconfiguration of MySQL.
Learn your OS and all of the applications on your system to the extent that
you understand what security issues each bring to the mix.
As always...Have Fun!
Dean
> Well, since I'm a newbie and also Norwegian it ain't that easy to explain
> very simple.
> What he did was that he entered a file that showed all the users of the
> server, as I said, and he told me this was kindof insecure.
> To prevent it he showed me a code that would help a bit.
>
> $filename=str_replace("..","",$filename);
> $filename=str_replace("/","",$filename);
> $filename=str_replace("%20","",$filename);
>
> He used /, .. and %20 to reach this file on my server.
>
> /Marthe
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
