[Phpmyadmin-devel] disabled functions for security
Marc Delisle
DelislMa at CollegeSherbrooke.qc.ca
Sun Feb 23 03:57:07 CET 2003
Rabus wrote:
> -----Original Message-----
> From: Marc Delisle
>
>>We got a report from a user, his ISP has disabled ini_get() and
>>mysql_list_dbs() for security reasons.
>
>
> Disabling ini_get() is OK, but who the f*** disables mysql_list_dbs()
> ???
Fine admins at members.lycos.co.uk. Talk to them, you are in Europe :)
> I wonder if we shouldn't bypass mysql_list_dbs() by mysql_query('SHOW
> DATABASES;') since this should bring the same result.
Let's look at this after 2.4.0, I think it's late in the cycle to
introduce this.
>
>
>>Problem is, in this case, function_exists('ini_get') is true
>>even if ini_get() is disabled.
>>
>
>
> This is a problem, indeed. As far as I can say, we can only work around
> this by adding a new directive to the config file, e.g.
> $cfg['IniGetDisabled'] with default value FALSE. In this case we simply
> replace ...
>
> function_exists('ini_get')
>
> ... by ...
>
> (!$cfg['IniGetDisabled'] && function_exists('ini_get'))
Good idea, but if IniGetDisabled, we cannot detect if uploads are
enabled, so we should set $is_upload to TRUE. The worst that can
happen is that they get an error trying to upload.
Marc
More information about the Developers
mailing list