I was not referring to "safe mode".
In other languages like Perl or Python, "safe execution" means
that if I execute some code (or eval a code string supplied by
user), I can restrict what kinds of operation is valid for it,
or what kinds of variables are available to it.
In PHP, if I have my database password in a global var $dbpass,
I cannot prevent this code:
eval('echo $dbpass');
from printing my database password. Well of course you could do
unset($dbpass) or even unset($GLOBALS) or save it to somewhere
else... But still I cannot even prevent things like this:
eval('echo 1/0');
from stopping my own program because it generates an error that
I cannot trap. Well, actually there is error handlers...
Perhaps you can get your way around to make eval() more secure,
but still I prefer not to trust a code string from user to be
eval()'ed by my PHP script. Just letting a user modify a template
and changing the look of a page is sufficient for me, since that
is all the user is supposed to gain access to.
Regards,
Steve
At 5/1/2001 02:23 AM, Dave Goodrich wrote:
>On Monday, April 30, 2001, at 12:02 PM, Steven Haryanto wrote:
>
>>Security? I do not want other people to have access to the PHP runtime
>>(where they can do nasty things like stealing my database password,
>>etc). PHP currently does not support any restricted execution of user
>>code whatsoever.
>in httpd.conf
>
><VirtualHost 192.168.3.8>
> DocumentRoot /usr/local/www/thisUser
> ServerName thisUser.myServer.com
> php_value include_path /usr/local/www/thisUser/inc
> php_value open_basedir /usr/local/www/thisUser
></VirtualHost>
>
>You could do a lot to control your users abilities/privleges in this way.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
