Hi, If i put a .htaccess file in a folder that contains "deny from all" then nobody should be able to access any files in that folder or its sub folders. Is there any way someone could delete or change that .htaccess file? Ive programmed my site to stop people from doing anything to it in the upload panel. Someone could upload a PHP script to delete it but if nobody has access to that folder then can i assume there is no way to run the script?

Short answer is if you have a vulnerability that someone can get through with enough privilages (vulnerable PHP script, Perl script or unpatched flaw) and execute something then it is possible as they won't be restricted by Apache's allow/deny. But if someone did that your .htaccess file is not likely to be the target, most just upload bots or deface. I have seen only 1 case in the last 3 years of a someone deliberately breaking in to steal / modify specific data via. a flaw in a PHP script.

the PHP script that allows them to upload files wont allow them to open any files or execute anything. all it does is allows them to see a directory list and upload/rename/delete files. they can only view files the normal way which i think should be completely blocked by the .htaccess file


i think i have read somewhere that PHP can execute an exe file. what functions would i need to block to stop that? (i dont need to do it myself so i might aswell block it completely)

As far as I am aware this is a pretty exhaustive list unless you have extra modules installed:
phpinfo,dir,readfile,shell_exec,exec,virtual,passthru,proc_close,proc_get_status,proc_open,proc_terminate,system,openlog

As far as I am aware this is a pretty exhaustive list unless you have extra modules installed:
phpinfo,dir,readfile,shell_exec,exec,virtual,passthru,proc_close,proc_get_status,proc_open,proc_terminate,system,openlog

thanx. im pretty sure i dont ever need to use any od those for what i do.

the only extra module i have loaded is that GD thing (ill double check this when i get back to my server though)

GD is fine, as is pretty much any standard module, I meant anything from the PECL library or anything custom.

GD is fine, as is pretty much any standard module, I meant anything from the PECL library or anything custom.

ahh, thats ok then. i dont know what PECL is and i dont know how to make custom things (and im certainly not installing someone elses custom module)

thanx for your help:)