I just posted the following at "http://stackoverflow.com/questions/3481880/what-php-extensions-are-preferred-and-what-about-security-preferences/5223539#5223539"; Am I missing anything or are all these guides and hosts either not disabling enough functions or disabling security aids to give warning messages with dangerous results. _________________________________________________________________________ "Why do so many hosts and guides disable escapeshell[arg|cmd] which are security aids!!!! and leave shell_exec enabled. Leads to opening up your servers to untrusted execution due to things like this. "http://www.silverstripe.org/hosting-requirements/show/10777"; The only thing I can think of is using it twice might cause problems and safe mode used to be widespread and so would apply escapeshellcmd automatically And now the hosts just copy configs blindly and in error and don't understand and so trust the 100s of threads that say you should do this. Yeah, use it as reference, I'm looking at it, but don't trust it because some "good" host uses it" __________________________________________________________________________ Surely this matters more than removing safe mode despite defence in depth because users believe it to be a safety blanket and may not also use chroot and permissions etc. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
