[development] Remove PHP filter by default
Gerhard Killesreiter
gerhard at killesreiter.de
Mon Jan 30 01:52:55 UTC 2006
Adrian Rossouw wrote:
>
> On 30 Jan 2006, at 12:00 AM, Larry Garfield wrote:
>
>>
>> <?php db_query("Update {users} set name='me', pass=md5('ownzed') where
>> uid=1"); ?>
>
>
> It's not just that site either.
>
> A php page can open up all the settings.php files in sites/* and
> change the passwords
> for ANY of your sites.
>
If your site is running unmodified mod_php you are in for a few more
surprises. =:)
Cheers,
Gerhard
More information about the development
mailing list