Op donderdag 15 augustus 2002 01:03, schreef u:
> So, if somebody gets an ftp account somehow, he will be able to get session
> vars via a system() command?

You holds him in its own dir by the chroot setting of you ftpserver.
> via a system();
you mean if they upload a php file?
prevent that with your php.ini settings:

open_basedir string:  Limit the files that can be opened by PHP to the 
specified directory-tree.
safe_mode boolean
  Whether to enable PHP's safe mode. Read the Security and Safe Mode chapters 
for more information. 

if you allow cgi, you must built the same sort restrictions for that too. 


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to