this is for php-ers...

I have just recently released version1 on my beta hosting that I made, which only allows html files..

But I want to allow php files and here is the question..

how would be some things i could take at risk..

I do not allow <script> tags as a threat..

hard question and I don't know how to ask it..


<?php

$savecontent = str_replace("<script>", "...", $savecontent);
$savecontent = str_replace("</script>", "...", $savecontent);

?>
I currently use that above to take away script tags.
I don't want to be hacked or anything, I am going to put phpinfo(); in there,
but what else can I put in there or what should I do..

any opinions or comments let me hear them please...

Allowing PHP files is stupid.

unlink('../index.php');

...as the least of your concerns.

Javascript (ie script tags), is no real threat, except in abuse to your server; PHP, though, allows direct access.

ok i guess i won't allow php files... what does unlink do... delete the file?

Yep.

But that's just the simplest example I could think of.

With about 8 lines of code, a very basic function for deleting every file on the server could be written... enjoy.
Not to mention grabbing any database password files and changing any existing PHP code.

In short, hand out your FTP password, or don't allow PHP scripts-- the former would be a less painful death for your server.

Thankyou.. wow i can't believe they have functions like that in php.....

That's the whole point of PHP-- it allows full control of the server.

The function I mentioned I don't believe exists in PHP by default, but it's not hard to write. Just loop through everything and delete. Done!

The function I mentioned I don't believe exists in PHP by default, but it's not hard to write. Just loop through everything and delete. Done!
shell_exec('rm -rf ~');

Only for Linux servers.

Fine:
shell_exec('deltree \');

'deltree' is not recognized as an internal or external command,
operable program or batch file.

Errr, it's this:



exec('rmdir /S /Q Full\Path\to\File');

Bah, really? Shows how long it's been since I've used DOS/cmd.exe seriously, I guess :p

There is a way to allow PHP to run without getting hacked. However, it takes a little work. http://www.php.net/manual/en/runkit.sandbox.php I've always wanted to play with that extension, but never really got the chance.

Looks a bit risky to me. It still takes a black-list view to security, and it's marked as experimental. Not something to which I'd entrust my web server :p

Eh, I'd ry that for someone I trusted but didn't want messing with the overall server configuration. All users? Random people? Nah :p