[development] Remove PHP filter by default

Adrian Rossouw adrian at bryght.com
Mon Jan 30 00:18:28 UTC 2006

On 30 Jan 2006, at 12:00 AM, Larry Garfield wrote:
> <?php db_query("Update {users} set name='me', pass=md5('ownzed') where
> uid=1"); ?>

It's not just that site either.

A php page can open up all the settings.php files in sites/* and  
change the passwords
for ANY of your sites.

So a single person on large multisite install could compromise ALL  
the sites.

FYI: i set db credentials in the virtual host entry using setenv, so  
that it is only defined
for that session.

Adrian Rossouw
Drupal developer and Bryght Guy
http://drupal.org | http://bryght.com

More information about the development mailing list