Posted by R K on 10/25/06 18:38

Rik wrote:
> R K wrote:
> > Rik wrote:
> >> R K wrote:
> >>>> BTW, how do I fix this in an administrative way?
> >>>
> >>> Nevermind. Put this in the .htaccess file in the upload directory:
> >>>
> >>> php_value engine off
> >>
> >> Upload/tmp directories shouldn't even be accessable by http....
> >>
> >> /dir/
> >> /uploadtmp/
> >> /wwwroot/
> >
> > Yeah, but suppose you wanted an upload to be web accessible after
> > it's moved from the tempdir?
> >
> > That final directory needs the .htaccess, doesn't it?
>
> And it's far better to put these kinds of settings in httpd.conf then
> .htaccess, and forbidding to use .htaccess to change these values. If they

Then I'd have to reboot the server for every change, not interested in
that. Already short on time and this is not my real job.

> have access to the directory, what stops them from deleting or altering the
> .htaccess file, thus enabling PHP? I assume that when a user uploads a
> file, he is allowed the either edit or delete it..

Wouldn't permissions on .htaccess prevent overwrite if the server is
not running as root? guess there's one way to find out...

-R

[Back to original message]