I hate FTP nearly as much as https :p
Re: Mad idea but it might just work
« Reply #15, on March 8th, 2012, 09:22 PM »
I can't think of any webhosts that don't offer SSH. I know Dreamhost and GoDaddy does, and so does Nearlyfreespeech.
I'm sure there are some, but I'd think they are fewer than you seem to think.
1. | I also note that IIS and nginx are not accounted for, however I figure anyone using those will probably ask for details of what they need to do and we can deal with that on a case by case basis. |
2. | I don't know why I haven't thus far actually, I did put in a protection against people trying to download archives from there. |
Sure, the attachments, avatars,and the gallery folders are at risk from files being overwritten/corrupted, but they're theoretically safe against PHP being dumped in them and executed - because there's an .htaccess ruleset against PHP execution from those folders.
The cache is a trickier one but the entire cache folder is marked as inaccessible to outside PHP calling, which means the risk then becomes against the cache files themselves being abused, but since they're regenerated regularly, that's not as much of a deal,
Really...? Isn't it just about PHP files, not other files containing PHP or whatever?
Also, these folders have a redirection through an index.php file, which I can tell you they do execute...
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
It just treats it as a 404 error (i.e. no redirection in the address bar but we do get the homepage.)
They're only regenerated if a component has been modified -- which is very likely in beta, but unlikely after that.