On Tue, 11 Feb 2003, Christopher Ditty wrote:
> errors, no nothing. I talked to his host and found out that they do
> not allow PHP FTP because it is a security risk. ????? Ummmm, ok?
I consider FTP a security risk, period. (There /are/ ways to run an FTP
server securely, but I won't assume everyone, or even anyone, knows this.)
The possibility of having plain-text authentication flying around ...
security risk. This is probably the perspective of your hosting company.
You may want to only access a server which provides anonymous FTP. You
might not use the same username and password to the FTP server that you
use on the hosting server. You might only be accessing a server on a
trusted network. But you're just one user. From a sysadmin perspective,
that's a lot of assumptions made about all the other users who could
potentially use those FTP functions and not take the precautions you took.
(Not to mention, that it's a bit rude to expose someone's FTP server to
compromise just because the security issue doesn't affect the hosting
server. Plain-text authentication, such that FTP and Telnet use, are the
bane of sysadmin existence ... usernames and passwords are sniffed too
easily.)
That said ... FTP is a protocol; there's nothing stopping you from
opening a socket and talking FTP back & forth across it (unless your host
has disabled fsockopen() too). If you know the protocol, you probably
know how and why to avoid its security concerns.
Other options: Move to a less security-minded hosting provider (looks
like you've already started that), or ask the FTP server admin to provide
download access to your file via HTTP.
... hope that provides some insight.
~Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
