On 6/26/07, Al Rider <alan@xxxxxxxxxxxxx> wrote:
I thought that the php engine took care of deleting tmp files when the script ended. Thus, if his script is terminated before his code deletes the file, the engine will insure it's deleted. Otherwise, he should use an ignore_user_abort().
You're right, and good point about ignore_user_abort();. I'd actually never used that function before, but there are several places where I could (and probably should). The point I was making is that, unless the server is set up properly, as the files exist on the server, they'll be readable, clone-able, and possibly even executable. All a malicious user would need to do is watch the /tmp directory for files being written and immediately copy or read them. This doesn't take into account proper usage of suexec, correct chmod'ing of /tmp (and mounting, if you're like myself), et cetera, but keep in mind that not all (perhaps even most) hosting providers out there are one-man operations, and a gross majority of those are run by people with almost no knowledge of - or maybe concern for - best practices regarding their customer's security. -- Daniel P. Brown [office] (570-) 587-7080 Ext. 272 [mobile] (570-) 766-8107 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
