Rick Harrison wrote:
>> On Nov 28, 2016, at 4:44 PM, Stephen Barncard wrote:
>>
>> FYI the PHP forums mentioned devious ways to get info from folders
>> outside of web root using INCLUDE.
>>
>> In a test with LIVECODE SERVER I was able to get html data from a
>> text file inside of a folder above a web root using INCLUDE but I
>> didn't explore further.
>
> Hmm.. that’s rather disturbing for security isn’t it.
> So much for PHP. That’s why it’s best not to
> set up PHP to be able to be used on servers.
Just about any language that can support file I/O can read and write
files from any location it has access to.
Scripting engines don't generally care whether they're asked to read:
/home/user/htdocs/something.lc
...or:
/home/user/something.lc
If you set your folder and file permissions correctly, and properly
sanitize inputs, there's nothing inherently unsafe about it.
On the contrary, sometimes it can be safer to be able to make use of
data stored outside the web root, under the control of your script.
For example, Wordpress, Drupal, and most other systems that need to
connect to a database need to store the password to the DB somewhere.
Keeping that in the web root would be unsafe, so those systems usually
keep it outside of that.
In most of my server systems I even keep stack files outside of the web
root, served up with my CGI. This keeps them safely away from spiders,
and allows me to ensure authentication before access.
--
Richard Gaskin
Fourth World Systems
Software Design and Development for the Desktop, Mobile, and the Web
____________________________________________________________________
ambassa...@fourthworld.com http://www.FourthWorld.com
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
