<snipped stuff re safe mode and file uploads>
>Interesting - This is important. On shared server, I think that running in
>safe mode is probably the preferred way to go.
All of my domains are hosted on machines along with thousands of other
domains on the same machine and PHP is NOT in safe mode!
> When you are *not* in safe
>mode, another user could write a script, that is executed by the web server,
>that reads your pt_config.inc file (and gets your passwords). Safe mode
>prevents this from happening.
I'll see if I can read files in one domains cgi-bin from another domain
when I get a minute. Could be a huge security hole that my hosting
company would need to know about!
> So... I'm glad you found this bug.
>I tried the solution on my computer, but I don't seem to have php properly
>configured to run as a cgi script.
I haven't had time to try it here yet. Is it possible to run PHP as a
module AND a CGI on the same server?
> A couple random thoughts that I didn't
>have time to fully research:
>*Since pagetool essentially runs as one file with many includes, do we have
>to put the #!/usr/bin/php at the top of the index.php (cgi) and test.php
>(cgi) pages and have it work throughout? Or, can we just put it at the top
>of the include files dealing with uploads?
I *think* it's just the upload script that needs to have the .cgi
extension and the #!/uer/bin/php but I could be wrong.
>*It seems that this should be an option during install - perhaps the install
>script could query the computer to find out: a. whether php is in safe mode,
>and b: if so, where the php binary is located. Then it could add the
>appropriate line where it's needed.
>* Maybe we could automatically create soft links from the *.inc to *.cgi
getting Pagetool to work out of the box on ANY system is going to fun!
John emailed me and said it he was going to sort out the Pagetool file
upload thing on the f2s servers so hopefully he'll let us know how he
did it, if he's successful.
d a v e