Menu
Community /Pin to ProfileBookmark
@NogDogJul 14.2010 — #Presumably the risk is if a PHP script is uploaded to a web host with a .php suffix -- or any other suffix which that host would treat as a PHP file -- then a malicious user could upload a script that does nasty things, and then access it via URL to trigger it. If you just want to upload a file to a forum so that the source code can be viewed/downloaded, the quickest work-around would be to rename it with a .txt file name suffix so that it's treated as a plain text file. Alternatively, some web servers are configured to display files with a .php[b]s[/b] suffix to show the source code instead of parsing it as PHP, in which case you could either give it that suffix, or alter the forum code to rename a .php file as .phps.
PHP is a security risk?
Hi. I am developing a new project at hexuk.com
I was recently attaching a file to a post of mine in our magento forum. I had a warning halt my work stating that PHP files cannot be attachments due to security risks.
For now I am highlighting the scripting within the files and posting them within the
[code]
tags.
I am guessing this is the only way to go for now and its no real problem. Has anyone got more information into how this can be bypassed and what the risks actually are?
Thanks, Mark Birchall (Hex UK)
Sign in
to post a comment2 Comments(s) ↴
0
@NogDogJul 14.2010 — #Presumably the risk is if a PHP script is uploaded to a web host with a .php suffix -- or any other suffix which that host would treat as a PHP file -- then a malicious user could upload a script that does nasty things, and then access it via URL to trigger it. If you just want to upload a file to a forum so that the source code can be viewed/downloaded, the quickest work-around would be to rename it with a .txt file name suffix so that it's treated as a plain text file. Alternatively, some web servers are configured to display files with a .php[b]s[/b] suffix to show the source code instead of parsing it as PHP, in which case you could either give it that suffix, or alter the forum code to rename a .php file as .phps.