Results 1 to 5 of 5
  1. #1

    Securing php to offer web hosting?

    Hi, I want to start offering free web hosting on my site, but I want to make sure that my php is secured and they can't cause any problems. I know my php is secure for ME, but allowing other people to use php on my server raises some security risks if they can modify stuff outside their folder and such.

    I'm running a Windows 2003 dedicated server with PHP 5. All the files they are allowed to upload are in a subdomain under my main site( While securing php in that subfolder, I would also like to not limit myself outside of the folder. Basically I want everything out side of that folder to be how it is now, and put everything inside the folder in a box which they can't get out of.

    I don't know if I can change the php.ini settings on a folder to folder basis, so what I was thinking was to create 2 installations of php and let them run the restricted version, a good idea? Any help on what settings I should change to make php secure would be great.

    I'm also allowing them asp access, is there any security settings I need to worry about there? I don't think so, but I don't use asp.


  2. #2
    Join Date
    Feb 2005
    Maybe you could use .htaccess?
    Maybe force copy a .htaccess into their folder on account creation?

    Put this in it to parse PHP as text (I think..) :

    RemoveHandler .php .php3
    AddType text/plain .php .php3 .cgi .php4 .php5

    Hope it helps..

  3. #3
    hmm, can htaccess be used on windows? I thought it was a linux feature?

    RemoveHandler .php .php3
    AddType text/plain .php .php3 .cgi .php4 .php5
    How does that ^^ secure php? I remember seeing somewhere that php.ini settings can be changed in htaccess, so if it is availabe on windows, what do I need to put in it to lock them inside a box? One thing that I know of that needs to be stopped(There are probably many more, but its the only thing i can think of at the moment), is disallowing the use of:
    PHP Code:
    I don't want them to be able to access anything outside their folder. So say they have a file in, they can not run the above code that would be

  4. #4
    Join Date
    Jan 2005
    Would safe_mode apply here, and how about directory restrictions in php.ini?

    All of those can be changed with .htaccess in windows if I can remember correctly

  5. #5
    Join Date
    Jul 2005
    Seattle, WA
    We run all PHP as CGI. So instead of php scripts getting executed as "apache" or "nobody", they get run as the user who owns them.

    So PHP cannot modify anything outside of the user's home directory (except /tmp, which is safe).

    In php.ini you can disable functions like system() and exec(), preventing them from running exploits.

    These 2 work great combined. I don't find it necessary to disable system and exec as everyone gets a shell account, but it may be a good option for you.
    I'll Host It webhosting and file hosting service.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts