faqts : Computers : Programming : Languages : PHP : Installation and Setup : Security

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

6 of 16 people (38%) answered Yes
Recently 3 of 8 people (38%) answered Yes

Entry

Why can anyone see any files on the server using directory functions?

Mar 2nd, 2000 13:07
Matt Gregory, Christian Spies, 


Because PHP is a powerful scripting language.  Access to PHP or it's 
functionality must be controlled by the system administrator or it can 
be abused to comprimise security.  You should limit the use of 
functions with allow insecure users to view, copy, delete, download or 
edit files which are not owned by the person writing the script.  All 
of this can be accomplished by proper setup of the PHP configuration 
files.
You need to do one of two things: dissalow use of the directory 
functions for all users or prevent users from having access to PHP 
unless you trust them not to write scripts which comprimise your 
security.