Brent Epp wrote:
>
> The simple answer is: never accept any type of user input without
> server-side validation. Specifically, $_GET or $_POST variables
> should *always* be checked and stripped down to make sure they contain
> *only* the data you expect.
OK. Lets assume you have customers that load scripts of their own onto
your server. This makes it impossible to know what they may have done in
their apps. I was thinking more along the lines of a set of
recommendations that we can check / implement at the server level...
And while we are on the topic of PHP security - The current BlueQuartz
setting of allowing or disallowing PHP on a per site basis is broken.
PHP code works on all virtual sites, regardless of this setting on my
box.... This is being caused by /etc/httpd/conf.d/php.conf inside the
current build of php-4.3.9-3.22.5.... which includes an entry to add PHP
as a recognised file type for all virtual sites. (See below)
AddType application/x-httpd-php .php
I think I am correct in assuming that this line can be safely commented
out, to allow BlueQuartz to operate as designed? Can this be added to a
future release of BQ to make sure this line is disabled in php.conf?
Regards,
Greg
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.