Posted by Jerry Stuckle on 04/02/07 11:49

hansBKK wrote:
> Schraalhans,
>
> I'm sorry but you've totally lost me, and perhaps misunderstood my
> intentions here. From my OP:
>
>>> I am looking for a host that will provide the right environment for
> this - running a wide variety of PHP applications. I realise that
> security is also important, but for now flexibility is more important to
> me.
>
> In other words, I'm NOT trying to create a secure system, I'm trying to
> find a host where I can basically just upload and install any of the
> mainstream scripts and start to use them. I *do not* want to have to
> mess with WordPress core code, or try to figure out what drupal modules
> I can use and which I can't, I'm "just a user", want to install the app
> and use it!
>
> Of course it's in a shared environment, I'm not going to get a VPS just
> to play and learn am I?
>
> Why would I care that someone could read my php/html? There's nothing
> sensitive there. . .
>
> I really can't understand anything you're telling me, as I said in my
> OP, I'm a newbie just starting out. If any of your message could be
> helpful to me, I think I need a translator first <g>
>
> But I'll give it a shot:
>
> safe_mode should be off, openbasedir should be off, $GLOBALS should be
> on, is that right? Or at least be able to override them in .htaccess or
> php.ini?
>

I would never be on a shared host with openbasedir and safemode off. If
they care that little about the security of their system

Also, the problem might not be that they can READ your PHP code. They
can also read the userid/password to your databases - and insert
anything they want in there - including your software. Even worse, they
can completely wipe out your pages and replace them with something else
- something you might not like, for instance.

>> 'potentially dangerous' functions such as eval, exec, passthru &
>> system. Note egrep with the -e option internally invokes eval as well)
>> in their php setup, in that case it is _REALLY_ easy to peek at any
>> other clients data.
>
> As I said I'm not concerned about that - so do I want the functions
> allowed or disabled?
>

You should be concerned about that. VERY MUCH CONCERNED.

>> Include files should best be kept in a directory above webroot,
>> something my own provider took some time to understand. (you can adapt
>> your include path in .htaccess btw). It helps to block every .inc file
>> (or whatever extension you prefer for includes) in .htaccess as well.
>
> Huh? What is an include file, and why would I want to block it?
>> If you're really concerned about security, also remember to set
>> another default path for session files, since they mostly end up in
>> /tmp, accessible for all the clients.
>
> I'm NOT at all concerned about security, getting less so by the minute,
> my head hurts!
>

Then I don't want to be anywhere near your site. Security should be
your FIRST concern - not your last.

>> HTH, good luck with your decision!
>
> Looks like I'll need it! <g>

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]