|
|
Posted by Chris Shiflett on 06/02/05 07:44
Richard Lynch wrote:
> Why risk the possibility of your code being exposed or executed out of
> context when it's so *EASY* to move the include files and set
> include_path?
>
> I just don't understand the resistance to such a simple straight-forward
> elegant security measure.
>
> For 5 minutes of time, you can avoid dozens of potential pitfalls. [shrug]
I completely agree with this sentiment, and it is relevant to many
discussions, such as:
1. The debate between using mysql_real_escape_string() versus
addslashes() or magic_quotes_gpc.
2. The debate between escaping data to be sent to the client with
htmlentities() versus using str_replace() to just replace angled
brackets with their HTML entity equivalents.
3. The debate between storing includes outside of document root versus
using a .php file extension, instructing Apache to process .inc files as
PHP, instructing PHP to deny requests for .inc files, etc.
All of these discussions are a result of developers being foolish and
stubborn. Just because you might not be able to think of an exploit for
your particular approach doesn't mean that it's safe.
Web application security is a highly specialized discipline, and unless
you really know what you're doing, it's unlikely that you can properly
refute practices that have been developed and refined over many years.
Stick with best practices unless you are certain that they're not
actually best, in which case, you should share your evidence with the
community. :-)
(By the way, it's faster to specify an absolute path to your includes
than to rely on include_path. You can save PHP the hassle of searching.)
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
Navigation:
[Reply to this message]
|