|
Posted by Christoph Burschka on 02/23/07 07:00
Steve wrote:
> true. however sadly, *most* web servers (apache anyway) out there at least
> parse all documents through php even if the extension is different...things
> like .css or .jpg, or what have you. this is the critical part. as long as
> this is the configuration, you can find *many* ways to get your script onto
> their server. and you will have enough authorization to access any system
> directory that php has access to...even those not in the web root.
Um, excuse me, but I've never seen/used a server that was set up like
that (then again, you can usually trust professional web hosts to set up
their servers properly). On one or two occasions, I've seen someone in
here ask if you *can* set up the server to parse everything through PHP,
and the general answer was "don't, because it's horribly insecure". It's
useful for single directories (containing dynamic images or feeds), but
as long as those directories are separated from the ones where files can
be uploaded, it should be safe.
--cb
[Back to original message]
|