This is well-documented. Right out of the set_time_limit() docs: Note: The set_time_limit() function and the configuration directive max_execution_time only affect the execution time of the script itself. Any time spent on activity that happens outside the execution of the script such as system calls using system(), the sleep() function, database queries, etc. is not included when determining the maximum time that the script has been running.
Like anything else, you need to check user input. There are all sorts of malicious things that can happen if you use user-data incorrectly. -Rasmus On Sat, 18 May 2002, Jason Caldwell wrote: > Dunno if this has been mentioned or fixed in the latest release (I'm using > PHP version 4.1.1) -- but, a script will not timeout until the sleep() > function has finished it's duration -- for example: > > In my script, if I set "set_time_limit(30)" -- then later in the script I > call a "sleep(45)" -- the script will not timeout until 45 seconds later, > from the point at which the sleep() function was called. > > Now, being a conscious programmer -- I'd probably never set my sleep() > function to exceed my default or defined timeout setting. However, the > sleep value can be set via a $var -- and depending on what functions are > performed -- I can see how, when a programmer wants his script to timeout > within a certain amount of time and then it doesn't; can cause a problem -- > in-fact, I can foree some sort of sleep-attack whereby a malicious hacker > figures out that a particular script on a particular website has a dynamic > $var for the sleep() function -- then s/he writes a script which calls the > page many times --- "injecting" the $var (say for example: > http://www.whateverweb.goo/home.php?t=65536, where $t is the time $var in > the script; sleep($t);" > > Effectively; in this case, the scripts won't timeout for 18 some hours. > Filling up memory fast. > > Just FYI. > Jason > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
