Liam MacKenzie wrote: >permission to create tables in other databases, but the can >still browse them and view the information. > I do not know MySQL but I'd be very surprised if this was not a database creation/configuration issue. In postgres, unless given permission, I cannot even connect to someone else's database.
> >Any the example I used for the named.conf was a bad one. >They cannot delete this, but they can view it's contents. How >can I restrict all PHP functions to >the one directory? So if a user makes a file like this: ><? >include ("../../../../../../../../../etc/eXtremail/eXtremail.conf"); >?> > >Instead of printing the conf file the SMTP password in it, >it'll return an error. > I think this is a real general security issue, not limited to PHP. Some sites do not have write access to anything in cgi-bin but have some scripts which may be read and used. Now with perl and php, executing ordinary commands becomes easier. I have an account on a webhosting (GNU Linux) computer, only ftp and web access and to my area only (no shell). Apache has a "document root" for me and I cannot go above it. The ftp access has a ftproot for me and I cannot go above it. Last night I ftp'ed a little perl (it does not have php) script into my directory, chmod to 755 and executed it (by its url). It did a "cat /etc/httpd/conf/httpd.conf > filename". I then ftp'ed it back to me. I can only read/modify files for which my username/group has permissions but its enough to give me all the login names if I wanted them. Used as cgi-bin type scripts perl, php (and anything else) has no concept of a document root, so root is the real root. A compiled C program uploaded can do the same. I feel an execution parser is needed so that only certain types of programs may be executed and the concept of a execution root to users directories. Read/execute access to some things outside are necessary though. What do others on the list think? This issue must have come up before somewhere so is there an accepted solution and am I missing something? Regards Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php