 |
 |
 |
 |
|
|
Date: 09/05/00
- Next message: Stanislav Malyshev: "[PHP-DOC] cvs: phpdoc /en/features file-upload.xml"
- Previous message: Rafael Martinez: "[PHP-DOC] cvs: phpdoc /es/appendices phpdevel.xml"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>
> JM>> HTTP_POST_VARS, HTTP_GET_VARS and turn register_globals off
> (Thats what
> JM>> php.ini is there for, so you can choose how *you* set up PHP.
> JM>> HTTP_POST_FILES already exisits AFAIK. Another point about killing
> JM>> register_globals is that 99.99% of form processing does not include
> JM>> uploading so why should we break this great functionality for this?
>
> I guess we just should say in large friendly letters in the manual "use
> HTTP_POST_FILES when you upload files, doing otherwise is insecure!".
> At least until we make it safe.
>
Im just adding a warning to the manual about this now and adding a section
to features.file-uploads called File Upload Security Issues, detailing the
main issues of not using HTTP_POST_FILES, how it could be used maliously and
what has been done about it. If you have anything you feel should be
explicity said in this section (Or you feel should not be said) please email
me with your seggestions...
I was also looking add adding somthing to safe_mode docu's but with the
recent changes that andi made I am not 100% sure of what it does and doesnt
do anymore. Maybe one of the developers (Andi?) could explain in some depth
what it does and doesnt do so we could get the docs upto date about this.
James
- Next message: Stanislav Malyshev: "[PHP-DOC] cvs: phpdoc /en/features file-upload.xml"
- Previous message: Rafael Martinez: "[PHP-DOC] cvs: phpdoc /es/appendices phpdevel.xml"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]