I thought he'd be more worried about something like 'cat /tmp/sess_*'. Also, you can enable the save_path in the ini file or htaccess file and then disable the PHP function in the ini file. Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com Robert Cummings wrote: > On Tue, 2008-09-02 at 16:22 -0500, Micah Gersten wrote: > >> If one does not know where the session data is, one cannot inject code >> to expose it. >> > > PHP knows where the session data is, the very function you gave provides > the path to it also. If you've got code injection then you've got > someone who can probably read the return value of session_save_path(). > > Cheers, > Rob. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
