[development] Remove PHP filter by default
Adrian Rossouw
adrian at bryght.com
Mon Jan 30 00:18:28 UTC 2006
On 30 Jan 2006, at 12:00 AM, Larry Garfield wrote:
>
> <?php db_query("Update {users} set name='me', pass=md5('ownzed') where
> uid=1"); ?>
It's not just that site either.
A php page can open up all the settings.php files in sites/* and
change the passwords
for ANY of your sites.
So a single person on large multisite install could compromise ALL
the sites.
FYI: i set db credentials in the virtual host entry using setenv, so
that it is only defined
for that session.
--
Adrian Rossouw
Drupal developer and Bryght Guy
http://drupal.org | http://bryght.com
More information about the development
mailing list