hosting tips (php knowledge)

**insanemonkey** · 11-01-2007, 06:28 PM

this is for php-ers...

I have just recently released version1 on my beta hosting that I made, which only allows html files..

But I want to allow php files and here is the question..

how would be some things i could take at risk..

I do not allow <script> tags as a threat..

hard question and I don't know how to ask it..

Code:

<?php

   $savecontent = str_replace("<script>", "...", $savecontent);
   $savecontent = str_replace("</script>", "...", $savecontent);

?>

I currently use that above to take away script tags.
I don't want to be hacked or anything, I am going to put phpinfo(); in there,
but what else can I put in there or what should I do..

any opinions or comments let me hear them please...

**djr33** · 11-01-2007, 06:51 PM

Allowing PHP files is stupid.

unlink('../index.php');

...as the least of your concerns.

Javascript (ie script tags), is no real threat, except in abuse to your server; PHP, though, allows direct access.

**insanemonkey** · 11-01-2007, 07:08 PM

ok i guess i won't allow php files... what does unlink do... delete the file?

**djr33** · 11-01-2007, 07:12 PM

Yep.

But that's just the simplest example I could think of.

With about 8 lines of code, a very basic function for deleting every file on the server could be written... enjoy.
Not to mention grabbing any database password files and changing any existing PHP code.

In short, hand out your FTP password, or don't allow PHP scripts-- the former would be a less painful death for your server.

**insanemonkey** · 11-01-2007, 07:15 PM

Thankyou.. wow i can't believe they have functions like that in php.....

**djr33** · 11-01-2007, 07:21 PM

That's the whole point of PHP-- it allows full control of the server.

The function I mentioned I don't believe exists in PHP by default, but it's not hard to write. Just loop through everything and delete. Done!