hi.

i've noticed some users seem to be unaware of either rules specific to Zedler, or general php security issues.

please be aware that:

* you must not install third-party web applications on Zedler. this includes putting mediawiki source code in your public_html, even if you don't configure it. this also includes phpmyadmin. this also includes applications protected by passwords or other access restrictions. there are no exceptions to this. (if you believe you have a very good reason to do this, ask me first.)

if you must use it, put it elsewhere, and keep it up to date. DO NOT provide access to it via HTTP. the only valid reason for installing MediaWiki is to run maintenance scripts from the command line, or using MW libraries in your own applications.

this is extremely important. i will start disabling applications which do not conform to this rule.

* do not place sensitive information (such as passwords) in world-readable files. since CGI scripts, including PHP, run as your uid, there is no need to do this.

* when you use data from $_GET, $_POST, etc. in SQL queries, you MUST escape it. please familiarise yourself with this function: http://uk.php.net/mysql_real_escape_string

* when you print user-supplied data in HTML, you must also escape it: http://uk.php.net/manual/en/function.htmlspecialchars.php

neither of the last two are specific to PHP, but for some reason PHP code seems to be a lot worse, on average.

if you have not already done so, please ensure you are familiar with the rules for Zedler users: http://meta.wikimedia.org/wiki/Toolserver/Rules

k.