This is slightly off-topic from the original post so I'm changing the subject. On Dec 9, 2007 6:30 PM, Shai Gluskin <shai@content2zero.com> wrote:
Here is the handbook page that describes why not using user/1 for day-to-day is a best practice:
I don't think the conclusion you've drawn is really reflected in the meat of the page. That's especially true if you use an account that is granted a role that has all permissions on a site - that account is just as vulnerable to most of the security problems listed on that page. The only thing that the "user 2 with all privileges" setup gets you is a small amount of protection on security holes/actions in the update.php file. But if you have a "user 2 with all privileges" then that person probably has access to php input format and can do a lot of damage to your site (which is worth a reminder: if you don't need it then disable the php input format). Regards, Greg -- Greg Knaddison Denver, CO | http://knaddison.com World Spanish Tour | http://wanderlusting.org/user/greg