Quoting Luis Mondesi ([EMAIL PROTECTED]): > It's time to tell PHP (via php.ini) not to allow any of those > functions that allow executing stuff from the system (system, > passthru, whatever).
Amen to that. Good starting point: disable_functions = system, exec, passthru, popen, escapeshellcmd, shell_exec Looking at the typical php.ini is faintly terrifying, starting with the almost invariably ignored warning comments at the top, saying these settings are for development environments only, and should never be exposed to public networks. (I have various modest recommendations in "PHP" on http://linuxmafia.com/kb/Security/ .) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
