[geeklog-devel] PHP in Static Pages

Dirk Haun dirk at haun-online.de
Tue Jan 13 15:26:24 EST 2004


(moving this to the list from private email)

Tony wrote:

>Have we considered the possibility of stripping calls to certain php 
>functions?  I know we turn PHP off by default and have documented how 
>enabled PHP could be stupid (especially considering most GL logins don't 
>occur over SSL).  Specifically, exec(), system() and some of the 
>filesystem methods should probably be removed or, at the very least, 
>generated emails to the GL admin when they are found.

I can't see how you would do this (reliably) without adding a PHP parser
to Geeklog.


There is a feature request that suggests limiting PHP to only call
certain functions (prefixed with phpstatic_):
<http://project.geeklog.net/tracker/index.php?
func=detail&aid=83&group_id=6&atid=108>

Looks like the intention was to make it similar to PHP blocks.


>Just thinking of ways to be more proactive security-wise with this. 
>Personally I hate seeing PHP in static pages...but I grudgingly conceded 
>considering users seem to insist on having it.

I guess an option in the static pages' config.php to disable PHP
altogether can't hurt ...

bye, Dirk


-- 
http://www.haun-online.de/
http://www.tinyweb.de/




More information about the geeklog-devel mailing list