At 6:24 PM -0500 4/16/07, Richard Lynch wrote:
index.php is also accessible, if I can guess the login, which I did on
my first try...
Well, I did provide the log on and password on a subsequent post.
BUT, I didn't try to make it hard to guess, that wasn't the point of
the post. I was trying to see what files were considered "secure" and
what files weren't.
---
I can then visit b.php and auth.php, which do not seem to generate
output.
As you said "PHP code is executed completely out of context, in a manner you
have never ever tested at all...."
So, I try to make my include scripts produce nothing when called
independently. I've seen techniques where a token must be correct
before running, but I just make my includes dependant upon variables
in the calling script.
---
If you put the stuff you want to keep private OUTSIDE the web-tree,
and provide a PHP gate-keeper to get to it, you reduce your risk.
I'm sorry, I should know this, but I don't.
You see, I work totally in hosted environments. They provide me with
several folders from "anon.ftp" to "web_users" (including a "private"
folder).
I start building from inside httpdocs folder where I place an
index.php file and then branch out from there. Now, where is "OUTSIDE
the web-tree"?
It's a lot harder to screw up bad enough to configure Apache to start
serving up files directly from a "private" directory.
I have a "private" directory, but if I place files in it, I can't
read them via php -- I get a:
Warning: fopen(): open_basedir restriction in effect.
I've read how one can turn that off, but I have not been successful
in doing so.
---
PPS Nice photo! :-)
http://sperling.com/a/pw/girl.jpg
Now you got me going, how did you get that? Even my php scripts can't read it.
Or are you putting me on? Send me a copy of it back-channel. :-)
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
