That's for standard html. But since php is typically run with the local_system account it has full access to the server and all it's folders.
But with the open_basedir setting, you can restrict script access to certain folders.
There's actually quite a bit of information out there on this, with people running into the same scenarios when running a shared server: "How do I prevent my users from seeing eachothers data?" It's just hard to get the right search terms in.
Probably for me the two biggest things I've discovered is that
1. you can set the open_basedir for each virtualhost in the httpd.conf file like so:
- Code: Select all
<VirtualHost *:80>
DocumentRoot "C:/xampp/htdocs/intranet"
ServerName intranet.marion.com
ServerAlias intranet
ErrorLog "logs/intranet.log"
CustomLog "logs/intranet.log" combined
php_admin_value open_basedir "c:\xampp\htdocs\intranet;c:\xampp\htdocs\phpmyadmin;c:\xampp\php"
</VirtualHost>
I had to grant access to the phpmyadmin folder and the php folders for phpmyadmin to work...
and
2. disabling some dangerous functions in the php.ini file:
- Code: Select all
disable_functions = "diskfreespace, apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
Diskfreespace() might not be that big a deal, but I felt it was.
I hope there are others out there that can find this helpful.