Shawn McKenzie wrote:
Settings such as safe_mode come into play. There is a difference between what a webhost provider expects from someone trusted with an account, and what is expectd of a user of your website. The best advice I've heard is to assume a user of your site is a hacker who wants to bring your site down. ...Is this expected behavior???
...so check and validate any user input. If you decide that it is not a good idea to allow a user to specify /etc/passwd (as all user names are stored there), then check and reject such things (commonly any absolute path).(myscript.php?page=http://mysite.com/dir/cool.html, or relative URLs (myscript.php?page=/dir/cool.html). Can I do this without allowing someone to include files by filesystem reference???
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php