PHP workarounds this problem with the OPEN_BASEDIR directive. I don't know how secure this is, but it seems it works
No it doesn't. As I wrote, a quick google will show this. Trying to limit access that way without using system user accounts is like playing whack-a-mole, there'll always be ways around that like in http://secunia.com/advisories/13023/ .
All the cheap mass-hosters that I've seen simply have no secure separation of customers. They pretty much all run their customers' processes with the same user account, whether it's plain Apache, CGI or PHP.
I think that's the reason PHP is so widely spread among shared web hosts
While some admins may believe in snake oil like open_basedir, there are other reasons for that. Including the fact that MP is basically useless for cheap mass-hosters because Perl can't really unload code, which just uses too much RAM. PHP on the other hand can't cache code out of the box, which is lame for dedicated servers, but for this kind of scenario is better. Of course some or many mass-hosters just run PHP in CGI mode, like they do with plain Perl CGI.
Also, having a big but limited set of PHP-bundled libraries that everybody uses is more practical for web hosters than having to install much of CPAN, or doing CPAN module installs on request.
-- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
