[wp-hackers] Keeping database connection info safe
Rob
r at robm.me.uk
Sat Feb 25 04:01:08 GMT 2006
Joseph Scott wrote:
> Rob wrote:
>
>>
>> But then what's to stop the inevitable
>>
>> <?php
>> /*
>> Plugin Name: Evil
>> */
>>
>> foreach(glob(ABSPATH.'/*') as $file) {
>> unlink($file);
>> }
>>
>> ?>
>>
>> There's no way of stopping malicious code from running other than
>> reviewing it before you run.
>
>
> Properly set permissions should stop that from working. The plugin
> would be run as the web server user, who doesn't need write
> permissions in order to run PHP code.
>
> --
> Joseph Scott
> joseph at randomnetworks.com
> http://joseph.randomnetworks.com/
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
Except Wordpress has absolutely no control over what user the web server
runs under.
--
Rob Miller
http://robm.me.uk/ | http://kantian.co.uk/
More information about the wp-hackers
mailing list