Niels wrote: > Richard Lynch wrote: > One of the things I've asked for is articles and tutorials, but there > apparently aren't any on this subject. I can find many on validating user > input, securing sessions and that kind of thing. But not this, no "howto > make php run useradd safely". I've seen many other people have problems > with this, but no tutorials are to be found. Perhaps the reason there is no article or tutorial is that it would be a book, not an article or tutorial :-) There are so MANY affected/related software system pieces that you can't do it justice in an article or tutorial, I suspect. The interaction between your scripts, the OS, PHP and every other script or piece of software on the system comes into play once you start granting special privileges to the PHP user. Here's a method you could easily miss: Create a JPEG that looks like a JPEG in its header, but has malevlolent PHP code in it. Then, upload that JPEG to your server as an avatar or whatever through some kind of file upload anywhere on the system. Then, surf to that image with variations on ".php" in the URL in an attempt to get PHP to execute that image as PHP code. This is exactly the kind of thing that *CAN* happen by successive small minor mistakes taken one at a time over years of a server build-up, none of which in and of themselves will be obvious as a problem, until too late. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
