RE: [PHP] Fwd: PhpSmsSend remote execute commands bug
I'm think I'm going to start forwarding all the bugtraq alerts for PHP scripts to this list. Any objections? Yes, if the author of the script isn't on the list it's useless unless someone wants to patch their script themselves. And if they're the kind of person who's inclined to do that, they'd most likely already be watching BugTraq. There's such a large possibility of crappily-written code out there, I don't know if its worth the traffic on this list given that it's usually newbies. J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Fwd: PhpSmsSend remote execute commands bug
I agree, but it may be usefull to tell those newbies that when you execute a command from PHP that will get some parameters from an external source (like a form or a get variable) ALWAYS use the escapeshellcmd() function to prevent users from executing arbitrary commands. bvr. There's such a large possibility of crappily-written code out there, I don't know if its worth the traffic on this list given that it's usually newbies. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Fwd: PhpSmsSend remote execute commands bug
Good point, but I actually reccomend newbies subscribe to bugtraq. It really opened my eyes to the world of cross-site scripting. Now I not only know how, but do, write secure code. If I saw a warning about a script either here or on bugtraq, I would immediatly patch it- or at least shut down until it could be patched. It would be useful... The probability that we may fail in the struggle ought not to deter us from the support of a cause we believe to be just. On Tuesday 29 January 2002 17:22, you wrote: I'm think I'm going to start forwarding all the bugtraq alerts for PHP scripts to this list. Any objections? Yes, if the author of the script isn't on the list it's useless unless someone wants to patch their script themselves. And if they're the kind of person who's inclined to do that, they'd most likely already be watching BugTraq. There's such a large possibility of crappily-written code out there, I don't know if its worth the traffic on this list given that it's usually newbies. J -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
