Stuart Dallas am Montag, 23. September 2013 - 12:58:

> And, honestly, who would have a PHP file per language? I think it's
perfectly reasonable to not allow that, because duplicating PHP code
across many files is an incredible stupid way to support multiple
I agree!! Didn't even know, that this kind of faked language support

> "Some people run all their files through PHP" - true, but that doesn't
mean they should, or that you, as a responsible web host, should be
endorsing it.
> PHP developers should absolutely validate all content coming in from
users in every possible way, but I would be highly dubious about
trusting a host who gives the reason above for what I consider a lax and
insecure Apache configuration. It's like saying they sliced your arm off
with their chainsaw because it's made for cutting things, attempting to
dodge all responsibility for having swung it in your direction!
OK, in principle, I also agree. But this case is very easy to handle.
I'm simply running "str_replace()" against dangerous parts of uploaded
filenames, ".php" for instance. After that, Apache in every
configuration will just serve, and never execute user uploaded files.
Remains the risk on the clients side, I must concede. Better solutions?

Nice days,

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to