[Toolserver-l] notes on security (important)
Kate
lithiana at livejournal.com
Thu Dec 15 10:29:16 UTC 2005
hi.
i've noticed some users seem to be unaware of either rules specific to
Zedler, or general php security issues.
please be aware that:
* you must not install third-party web applications on Zedler. this
includes putting mediawiki source code in your public_html, even if
you don't configure it. this also includes phpmyadmin. this also
includes applications protected by passwords or other access
restrictions. there are no exceptions to this. (if you believe you
have a very good reason to do this, ask me first.)
if you must use it, put it elsewhere, and keep it up to date. DO NOT
provide access to it via HTTP. the only valid reason for installing
MediaWiki is to run maintenance scripts from the command line, or using
MW libraries in your own applications.
this is extremely important. i will start disabling applications
which do not conform to this rule.
* do not place sensitive information (such as passwords) in
world-readable files. since CGI scripts, including PHP, run as your
uid, there is no need to do this.
* when you use data from $_GET, $_POST, etc. in SQL queries, you MUST
escape it. please familiarise yourself with this function:
http://uk.php.net/mysql_real_escape_string
* when you print user-supplied data in HTML, you must also escape it:
http://uk.php.net/manual/en/function.htmlspecialchars.php
neither of the last two are specific to PHP, but for some reason PHP code
seems to be a lot worse, on average.
if you have not already done so, please ensure you are familiar with the
rules for Zedler users:
http://meta.wikimedia.org/wiki/Toolserver/Rules
k.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 185 bytes
Desc: not available
Url : http://lists.wikimedia.org/pipermail/toolserver-l/attachments/20051215/ac470e5e/attachment.pgp
More information about the Toolserver-l
mailing list