[geeklog-devel] PHP in Static Pages

Dirk Haun dirk at haun-online.de
Tue Jan 13 15:26:24 EST 2004

(moving this to the list from private email)

Tony wrote:

>Have we considered the possibility of stripping calls to certain php 
>functions?  I know we turn PHP off by default and have documented how 
>enabled PHP could be stupid (especially considering most GL logins don't 
>occur over SSL).  Specifically, exec(), system() and some of the 
>filesystem methods should probably be removed or, at the very least, 
>generated emails to the GL admin when they are found.

I can't see how you would do this (reliably) without adding a PHP parser
to Geeklog.

There is a feature request that suggests limiting PHP to only call
certain functions (prefixed with phpstatic_):

Looks like the intention was to make it similar to PHP blocks.

>Just thinking of ways to be more proactive security-wise with this. 
>Personally I hate seeing PHP in static pages...but I grudgingly conceded 
>considering users seem to insist on having it.

I guess an option in the static pages' config.php to disable PHP
altogether can't hurt ...

bye, Dirk


More information about the geeklog-devel mailing list