On Mon, 2010-08-16 at 09:27 +0530, kranthi wrote:

> i would configure apache to let php interpreter handle all kinds of
> extensions ( http://httpd.apache.org/docs/2.0/mod/mod_mime.html#addhandler
> )
> 
> even then u'll have go through all the steps pointed out by Ash.
> the only advantage of this method is more user friendly URL
> 


That would be very slow and prone to failure. What happens when Apache
comes across a binary file that contains <?php inside? It seems
unlikely, but I've found the more unlikely something should be, the more
often it occurs at just the wrong moment! For example, a document that
talks about PHP, or an image that randomly contains those characters as
part of the bitmap data?

Also, the idea of tying an ID into the DB does still allow you to use
friendly URLs, but is the ability to guess filenames really something
you want in a security system? It would be more prone to brute force
attacking I think.

Thanks,
Ash
http://www.ashleysheridan.co.uk


Reply via email to