[wp-hackers] Keeping database connection info safe

Rob r at robm.me.uk
Sat Feb 25 04:01:08 GMT 2006


Joseph Scott wrote:
> Rob wrote:
>
>>
>> But then what's to stop the inevitable
>>
>> <?php
>> /*
>> Plugin Name: Evil
>> */
>>
>> foreach(glob(ABSPATH.'/*') as $file) {
>>    unlink($file);
>> }
>>
>> ?>
>>
>> There's no way of stopping malicious code from running other than 
>> reviewing it before you run.
>
>
> Properly set permissions should stop that from working.  The plugin 
> would be run as the web server user, who doesn't need write 
> permissions in order to run PHP code.
>
> -- 
> Joseph Scott
> joseph at randomnetworks.com
> http://joseph.randomnetworks.com/
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
Except Wordpress has absolutely no control over what user the web server 
runs under.

-- 
Rob Miller
http://robm.me.uk/ | http://kantian.co.uk/



More information about the wp-hackers mailing list