Please correct me if I am wrong, but it is impossible for a remote machine to make an ftp connection to local machine running just PHP/Apache/Mysql. The ftp functions available in PHP enable PHP scripts to act as an FTP client and can not be used to accept remote FTP connections.
Other functions (the socket functions) however, could be used to create what is needed in order provide the FTP server functionality that your ISP fears. It is these functions that your ISP should be disabling and not the FTP functions in order to protect themselves from a client allowing FTP access via a PHP script that they have written. James Hicks -----Original Message----- From: Christopher Ditty [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 11, 2003 3:34 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [PHP] PHP FTP a security risk????? Chris, Did you read the rest of the message? It sounds like the web host is saying that someone can access PHP FTP from an outside server and hack into the server. I am not trying to start a debate on whether or not people should send passwords and userids over plain text. Yes, that is a security risk. My concern is that this webhost is telling my customer that PHP FTP itself is a security risk when it does nothing more than act like ws-ftp. >>> "Chris Wesley" <[EMAIL PROTECTED]> 02/11/03 02:22PM >>> On Tue, 11 Feb 2003, Chris Wesley wrote: > On Tue, 11 Feb 2003, Christopher Ditty wrote: > > > errors, no nothing. I talked to his host and found out that they do > > not allow PHP FTP because it is a security risk. ????? Ummmm, ok? > > That said ... FTP is a protocol; there's nothing stopping you from > opening a socket and talking FTP back & forth across it (unless your host > has disabled fsockopen() too). If you know the protocol, you probably > know how and why to avoid its security concerns. > > Other options: Move to a less security-minded hosting provider (looks > like you've already started that), or ask the FTP server admin to provide > download access to your file via HTTP. You might find this interesting too -- straight from Example 1 for fopen() in the PHP manual: http://www.php.net/manual/en/function.fopen.php $handle = fopen ("ftp://user:[EMAIL PROTECTED]/somefile.txt";, "w"); b.careful ... g.luck, ~Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
