|
Posted by Iain Napier on 12/17/05 13:52
Peter Fox wrote:
>
> Fine (when set to point outside the web root) so long as you know that
> your security model is "the key's under the mat". Ie. the you can't
> revoke permission to a single user, and you've opened up the complete
> archive to all users.
>
> BTW here is your starter for 10.
> How steps should you take to stop somebody trying to access the php
> sources by trying out a few possibilities like
> "filedownload.php?file=../www/filedownload.php"?
Hi Peter,
Thanks for the comments. All the filenames are stored in a MySQL
database, and the filename is validated against what's in there before
filedownload.php allows the user to get it.
[Back to original message]
|