mailing list archives
Re: PHP Security Risk?
From: John GALLET <john.gallet () wanadoo fr>
Date: Sat, 4 Dec 2004 10:47:00 +0100 (CET)
The real danger is that this security part is left te be handled by the
*programmer* not the sysadmin.
I wrote *this* security part. The checks I had just described.
Wrong. Sysadmins have full control over the httpd.conf and the
php.ini files. Any functions, classes, file extensions, execution
access, etc., that he/she feels unsafe may be disabled quite easily.
I don't see how the sysadmin can enforce ANY of the security controls I
had described before that statement (i.e. checking the type of the file,
its name so it won't be parsed etc...). I am talking about *file uploads*
here and AFAIK the sysadmin can only manipulate two switches about file
1) enable or disable file uploads
2) determine the temporary directory for file uploads.
Web server security involving PHP is certainly not 'left to be
handled' only by the programmer. The sysadmin has many facilities to
ensure a secure environment exists.
I would agreee only to a certain extent in general php programming, but as
far as file uploads are concerned, I am afraid this statement of yours is
totally overrated (though I'd love to be wrong).