On Wednesday 27 June 2007 03:53, Daniel Brown wrote: > On 6/26/07, Al Rider <alan@xxxxxxxxxxxxx> wrote: > > I think most systems have a /tmp directory above the web dir, so > > outsiders can't watch it anyhow. > > True, but on an unsecured box, this becomes possible, as Apache > will most likely be running universally as `nobody`, `httpd`, > `apache`, or `daemon` for all scripts, including all web-based scripts > writing to the /tmp directory. This includes session information, > temporary .php files (as Marius requested), et cetera. How is this different from: "put them in a specific directory that only the web server has access to read, write, and execute" -- Crayon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
