[Pmwiki-users] Safer .php-files
Patrick R. Michaud
pmichaud
Thu Feb 26 09:57:12 CST 2004
On Thu, Feb 26, 2004 at 05:26:11PM +0100, Thomas -Balu- Walter wrote:
> On Thu, Feb 26, 2004 at 12:41:55PM +0100, Christian Ridderstr?m wrote:
> > I'd like some opinions on putting this first in all .php-files:
> > if(!isset($Version)) {
> > header('Content-Type: text/plain');
> > print implode('',file($_SERVER['SCRIPT_FILENAME']));
> > exit;
> > }
> > Is there a risk that $_SERVER['SCRIPT_FILENAME'] won't be portable?
>
> Yes :-( - I've run into that problem once. Not sure what environment and
> version it was so. Since you are in the file you might be able to use
> something like __FILE__ (which was broken in some versions too thoug :()
Lots of PHP installations have problem with server variables being set
to odd values--this is why $_SERVER['PATH_INFO'] is often such a challenge!
> I strongly vote against using variables. If you have a box that has
> register_globals on they can be set using different ways.
I agree with the idea of using defined constants over variables.
However, it should also be noted that PmWiki actually protects against
register_globals by explicitly unsetting any such globals that might
have been set.
I'll be adding the "if (!defined(...)) exit;" clauses to PmWiki's scripts
in a future release.
Pm
More information about the pmwiki-users
mailing list