[Phpmyadmin-devel] disabled functions for security

Marc Delisle DelislMa at CollegeSherbrooke.qc.ca
Sun Feb 23 03:57:07 CET 2003

Rabus wrote:
> -----Original Message-----
> From: Marc Delisle
>>We got a report from a user, his ISP has disabled ini_get() and
>>mysql_list_dbs() for security reasons.
> Disabling ini_get() is OK, but who the f*** disables mysql_list_dbs()
> ???

Fine admins at members.lycos.co.uk.  Talk to them, you are in Europe :)

> I wonder if we shouldn't bypass mysql_list_dbs() by mysql_query('SHOW
> DATABASES;') since this should bring the same result.

Let's look at this after 2.4.0, I think it's late in the cycle to 
introduce this.

>>Problem is, in this case, function_exists('ini_get') is true
>>even if ini_get() is disabled.
> This is a problem, indeed. As far as I can say, we can only work around
> this by adding a new directive to the config file, e.g.
> $cfg['IniGetDisabled'] with default value FALSE. In this case we simply
> replace ...
> function_exists('ini_get')
> ... by ...
> (!$cfg['IniGetDisabled'] && function_exists('ini_get'))

Good idea, but if IniGetDisabled, we cannot detect if uploads are 
enabled, so we should set $is_upload to TRUE. The worst that can
happen is that they get an error trying to upload.


More information about the Developers mailing list