I don't host my own site so how can I put include files outside of the web
root? I log on ftp and my top level IS the web root (htdocs), I can't go
any higher.
- seb
-----Original Message-----
From: Rasmus Lerdorf [mailto:[EMAIL PROTECTED]]
Sent: 17 August 2001 05:01
To: Bob
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] hacks we should know about
> hi i found it very helpful to know about hacks such as the below list
> and was wondering if anyone had any more dumb mistakes they could tell
> us before we make them.
>
> 1. http://www.somesite.com/source.php3?url=/etc/passwd
> 2. http://www.somesite.com?page=../../../../etc/passwd
> 3. not setting .inc files to be parsed by php
This is the wrong solution to securing include files. The correct
solution is to block any direct access to .inc files by either putting
them outside your document root or by using an Apache deny rule.
-Rasmus
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
