Stuart Dallas am Montag, 23. September 2013 - 12:58: > And, honestly, who would have a PHP file per language? I think it's perfectly reasonable to not allow that, because duplicating PHP code across many files is an incredible stupid way to support multiple languages. > I agree!! Didn't even know, that this kind of faked language support exists... > "Some people run all their files through PHP" - true, but that doesn't mean they should, or that you, as a responsible web host, should be endorsing it. > > PHP developers should absolutely validate all content coming in from users in every possible way, but I would be highly dubious about trusting a host who gives the reason above for what I consider a lax and insecure Apache configuration. It's like saying they sliced your arm off with their chainsaw because it's made for cutting things, attempting to dodge all responsibility for having swung it in your direction! > OK, in principle, I also agree. But this case is very easy to handle. I'm simply running "str_replace()" against dangerous parts of uploaded filenames, ".php" for instance. After that, Apache in every configuration will just serve, and never execute user uploaded files. Remains the risk on the clients side, I must concede. Better solutions? Nice days, Niklaus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
