Disallow PHP in certain directories?

programming
1

I’ve been working on setting up a web server to host pages for friends, and hopefully a few businesses eventually. I’ve been using PHP for a while, and I have a web-based front end for people to upload files and such which relies on the filesystem commands (fopen, readfile, etc.)… I don’t want any user on my webserver having access to the filesystem commands, for the obvious reasons… I can disable the file commands using the php.ini file, but then my front end would no longer work. The best solution I can come up with is running two seperate servers: one with full php commands enabled which runs the front end, and one with limited php enabled which serves up the user directories.

There has to be a simpler solution… Is there any way I can specify a limited set of php commands for the user folders? Or, can I totally disable PHP commands for the user folders?

And a side note, I’m running something called sambar server (www.sambar.com) … I’m hesitant to switch to IIS , because I’m not too good at keeping up on hotfixes, but if I do, will that offer me a solution to this prob?

Thanks a lot! :azn: Kenny

2

You should run PHP in safe mode and setup your scripts such that they don’t require system commands.

There are plenty of way to do upload/file management that would work in PHP safe mode and would keep your system secure from harmful system commands.

3

*Originally posted by corvettekenny *
There has to be a simpler solution… Is there any way I can specify a limited set of php commands for the user folders? Or, can I totally disable PHP commands for the user folders? **

I’m not familiar with Sambar, but on Apache you can disable script-associatons on a per-directory basis using .htaccess. So if all else fails… :slight_smile:

Useful reading for Apache:

RemoveType

AddType

.htaccess

Hope it’s of some use.