I've been working on setting up a web server to host pages for friends, and hopefully a few businesses eventually. I've been using PHP for a while, and I have a web-based front end for people to upload files and such which relies on the filesystem commands (fopen, readfile, etc.).. I don't want any user on my webserver having access to the filesystem commands, for the obvious reasons.. I can disable the file commands using the php.ini file, but then my front end would no longer work. The best solution I can come up with is running two seperate servers: one with full php commands enabled which runs the front end, and one with limited php enabled which serves up the user directories.

There has to be a simpler solution... Is there any way I can specify a limited set of php commands for the user folders? Or, can I totally disable PHP commands for the user folders?

And a side note, I'm running something called sambar server (www.sambar.com) ... I'm hesitant to switch to IIS , because I'm not too good at keeping up on hotfixes, but if I do, will that offer me a solution to this prob?

Thanks a lot! :azn: Kenny

You should run PHP in safe mode and setup your scripts such that they don't require system commands.

There are plenty of way to do upload/file management that would work in PHP safe mode and would keep your system secure from harmful system commands.

Originally posted by corvettekenny
There has to be a simpler solution... Is there any way I can specify a limited set of php commands for the user folders? Or, can I totally disable PHP commands for the user folders? [/B]

I'm not familiar with Sambar, but on Apache you can disable script-associatons on a per-directory basis using .htaccess. So if all else fails... :)

Useful reading for Apache:

RemoveType (http://httpd.apache.org/docs/mod/mod_mime.html#removetype)

AddType (http://httpd.apache.org/docs/mod/mod_mime.html#addtype)

.htaccess (http://httpd.apache.org/docs-2.1/en/howto/htaccess.html)

Hope it's of some use.