I got an email about the reply:
item has made a new post under
Upload .php documents for an account?

The discussion is located at:


Here is a preview (may be truncated):
***************
Hi,
at your risk and certainly very bad.

just add .php to
***************

All the best,
EspoCRM Open Source Community Forum
​

When I go to the link I get:

Sorry, you are not authorized to view this page. For assistance contact the site administrator.​

Administration > Entity Manager > Document > Fields > File. Add ".php" in the Accept field.

Thank you.

Why is putting .php code in an attached document a bad practice?

Is there a way that .php code in an attached document could be executed in EspoCRM? Would re-naming the .php file to .txt make it any safer? Should I make it a Word file?

Should I encrypt it with one of the many utilities out there (or one you might suggest?)

How do you suggest that I save some code used for a client (we make websites and like to save a lot of 'stuff' about a client's site, especially specialized code... just in case the site gets 'bricked' or deleted, etc.)

It is not a big deal... we don't have to do this ... and very rarely ever do...it is just sometimes convenient for us..

Nothing wrong with uploading PHP files, despite "security specialists" will say opposite. It's to mitigate risk if there would be a security vulnerability allowing to include and execute an uploaded PHP file. But it's unlikely to happen with Espo.

Thanks for the info.

As I say most WordPress sites we do need a lot of additional CSS but usually don't require any extra .php code from us.

But those sites that use the WooCommerce e-com plugin often need a ton of additional code snippets since the plugin is basically 'bare bones.'

We don't know of any database application that is safer (or more secure) than EspoCRM to store client info stuff in.

Also 100% of the .php code we store changes the look (cosmetic) of the shopping cart, not the functionality of it.

For example on the Cart screen, Woo defaults to the word "Product" as the column heading of the items to be bought.

However clients who sell books don't want to see "product' as the heading, they want to see "Books" and that can only be done by 10+ lines of .php.

That kind of code is hardly a 'security threat' if it was executed by a bad-actor who somehow hacked into our server-instance of EspoCRM.

Thanks again.

Thank you all for the explanations. In this context I have another question: How secure are personal data of clients, e.g. in contacts or accounts. Would it be possible to hack those data out of espoCRM? Of course I mean by an easy way.

> Would it be possible to hack

There's no simple answer on such a question.