[Gmail-Lounge] Re: php questions

I'd just like to mention that your arguments in this thread are "new"
arguments replacing the arguments prior used--you've gone from "If you have
htaccess or mod_rewrite, you're endangering your data!" to "If you have
these things, you're endangering the rest of the internet!" -- changing
tactics, confused, what? ;) Y

Kass Lloyd <kasslloyd@gmail.com> wrote:
>
>
>Theres a couple security risks these pose:
>
>1. mod_rewrite allows you to hide scripts as images or other file
>types.

I'll give you that--but we don't take away cars, guns, booze or steak
knives because in the wrong conditions they can be dangerous to others.
Hell, why don't we just take away the Internet altogether since it poses a
great potential security risk?

>2. .htaccess if not restricted can modify lots of apache variables.

But your argument has been that only complete idiots allow .htaccess. I
disagree, I have used -several- web hosts over the years that intuitively
allow .htaccess to give the user maximum control without endangering
others. Yes, if you don't know what you're doing, giving a user .htaccess
poses a huge risk -- but we're not talking about some novice hosting out
his own computer. We're talking professional grade web hosting. Anyone
who knows what they're doing is going to go with a web host who knows -at
least as well- what they are doing -- and they're going to provide these
features and they're going to provide them in a manner that offers power,
flexibility AND security.

The problem I see in this thread is that you're terribly paranoid without
bothering to inject some data. How many web hosts have you used and to
what capacity? I mean no offense in saying I believe you're quite aware of
-potential- security holes but are completely unaware of how many
professionals know how to deal with these potential risks WITHOUT
completely witholding from their users.

>3. You are correct that a very well setup and security tight box, that
>these features pose little or no threat. But most people don't have
>the time to keep up with every little security trend and bug and may
>not know every little trick to secure and restrict these features.

Again, I'm not talking about John Doe hosting me on his home computing.
I'm talking about professional web hosting--firms which are largely more
competent than you give them credit for.

>4. Directory security, many web servers are setup so that any user can
>browse and access basicly any file on the system.

You use sweaping terms like "many" and "most" but don't bother mentioning
any. I'm not going to go off any more, I'm just going to re-reference my
prior text in this post. You're terribly paranoid and completely out of
touch with modern professional web hosting.

I'm guessing you're operating under the knowledge of security bulletins and
don't actually sample the technology yourself.

A.