I'm an intern, just moving past S.O. copy-pasta jobs and generally get scared at what the hacker news crowd might say about my code... seeing this caliber of shit get pushed live by a major ISP is almost comical, if an admitted novice such as myself can see that it should be a sign as to the ineptitude of our current crop of ISPs.
One thing I can say is don't use exec if you can avoid it:
$string = 'rm /var/www/Giftest/*.gif';
Don't let the macho attitude of HN infect you too much - a lot of people here (and elsewhere) are great in criticizing others.
Though, I have to admit, bitching about other peoples' code is fun.
- keep config variables in a separate file that is in your .gitignore and won't get pushed to github.
- keep config file outside of any web accessible directory in case the file renders in plaintext for some reason.
Regardless of db only accepting local connections - an attacker is one step closer to dumping the db.
Still very valuable things to be aware of in future situations where the above might not apply, thank you very much.