I've been having a mess around with some code for managing uploaded media, primarily uploading PHP and PHPS files, the latter being PHP Source, which is somewhat lacking information around the web.
I've added some additional mime types to my test install, so i can uploaded PHP and/or PHPS files, i then use this for Plain Text style display. Of course i'm sure some of you are wondering what the security implications of this are... and this is really where my question starts..
I'm using .htaccess to force the content type on any files in the uploads folder that match .php or .phps, i then call up these attachments via thickbox using the iframe method, the code is loaded as phps (or PHP source) which in short is a syntax coloured version of plain/text designed for showing off PHP code.
I'm redirecting all requests to the files directly, and mapping new custom URLs to the orginal locations, here's an example.
Actual Path: /wp-content/uploads/year/month/day/example.php After rewrite: /source/year/month/day/example/
I've hooked into the appropriate places to ensure all attachment paths now reflect the custom URLs, meaning whenever a path to a php file in the uploads folder appears (in the media uploader or in a post) it's replaced with my custom URL equivalent.
Everything works.. attachment pages can open a thickbox with phps formatted PHP code, which is much cheaper (performance wise) then the syntax highlighting plugins.
The only concern i have is, whether i should be worried about placing PHP files into my uploads folder, even with the forced content type, am i putting myself at risk?
Is there anyone here who can comment on the implications of using this approach? Am i safe?
NOTE: I've not implemented this on my live site, it's just in a testing phase, and i'd like to get a little feedback on the idea..
UPDATE: No longer need feedback on this, don't run self hosted WordPress on the web, now using a .com blog for posting blogs..