Php can access everywhere !

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Php can access everywhere !

Postby maitrelame2 » 27. October 2007 20:32

Hi !

I am starting a web hosting service for free but I noticed that anybody can delete anything on the Hard drive with php :

My xampp folder is i:/xampp/htdocs
And the user test would be in i:/xampp/htdocs/test

So I tried to delete the folder I:/test which I created for the test and I actually deleted it...

That's very dangerous for my server.
How can I change that and only allow to modify files in the user's directory?

Posts: 2
Joined: 27. October 2007 20:27

Re: Php can access everywhere !

Postby Izzy » 28. October 2007 02:11

I:\test is not the same as I:\xampp\htdocs\test which = http://localhost/test/
xampp\htdocs being the default server's root directory defined in the xampp\apache\conf\httpd.conf file.

If you are trying to delete from I:\test ??? and not from http://localhost/test then the result may be as you indicated above, as you are not going through the server's inbuilt restrictions which are designed to give some level of protection to files and directories outside the server's root - htdocs.

php files should always be called through the server and would be if you gave hosting facilities, not through a directory call by you at your PC as you indicated in your post.

Try and delete the test directory by using a URL in your browser which is as a hosting client would only be able to do, instead of a direct directory call.

This from
If do you want to offer PHP executions for outside persons, please think about a "safe mode" configuration. But for standalone developer we recommend NOT the "safe mode" configuration because some important functions will not working then. More Info

Also do some research using .htaccess.

BTW it is noted on various ApacheFriends web pages and within this forum that there may be security risks in using XAMPP in a production environment as it does not have the Linux enabled web server's level of configurable security.

Having said that even Linux based servers, with all it's security available configurations, is no match for some 'script kiddies' who seem hell bent on reaping havoc for some self indulgent interest.

1. The new DeskTopXampp launch control for XAMPP / XAMPPlite
Posted by Ridgewood available from Ridgewood'sDTX web site

2. Make Richer Ajax Applications - Faster
TIBCO General Interface Pro Edition but FREE and Open Source
Fully working with NO donations required to get a user/password
Posts: 3344
Joined: 25. April 2006 17:06

Postby maitrelame2 » 28. October 2007 06:53

So I can't offer web hosting under windows because I can't set a good security level...
Posts: 2
Joined: 27. October 2007 20:27

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 46 guests