On Mon, 2006-08-28 at 16:28 -0700, Micky Hulse wrote: > Wow, thanks for all the great information folks (Stut, Ivo, Rob, and David.) > > I really appreciate all of the top-notch advice and expert information. :D > > Looks like I have a lot to think about... > > Currently, I hard-code the paths to the folders that house the files I > want my CMS to edit (via a config file.) The script then iterates > through the directory and adds all files of a specific type to a > dropdown menu. The user can then choose one of the files to edit and > load that file into a textarea... After changes are made, the > content/code gets saved back to the same file/location. > > I do have an uploads folder, but it is in a different location on the > server. I do not allow the user to create new files (I would have to do > that manually)... it is a /very/ basic CMS. > > Anyway, looks like I have some great info to work with. Thanks again > everyone for sharing your expertise. How are these saved files then imported into the content? Are they included or do you retrieve the contents using something like file(), file_get_contents(), or fread() and then echo it? If you are using include or require on a file whose contents are based on web input content then you are opening up a can of security worms since anyone with access tot he CMS could embed PHP code in the content and do anything for which the webserver has permissions. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php