Re: PHP Security Risk?

[John GALLET <john.gallet () wanadoo fr>]

Hi,

> > The real danger is that this security part is left te be handled by the
> > *programmer* not the sysadmin.
I wrote *this* security part. The checks I had just described.

> Wrong.  Sysadmins have full control over the httpd.conf and the
> php.ini files.  Any functions, classes, file extensions, execution
> access, etc., that he/she feels unsafe may be disabled quite easily.

I don't see how the sysadmin can enforce ANY of the security controls I 
had described before that statement (i.e. checking the type of the file, 
its name so it won't be parsed etc...). I am talking about *file uploads* 
here and AFAIK the sysadmin can only manipulate two switches about file 
uploads :
1) enable or disable file uploads
2) determine the temporary directory for file uploads.

> Web server security involving PHP is certainly not 'left to be
> handled' only by the programmer.  The sysadmin has many facilities to
> ensure a secure environment exists.

I would agreee only to a certain extent in general php programming, but as 
far as file uploads are concerned, I am afraid this statement of yours is 
totally overrated (though I'd love to be wrong).

JG