From: "Ben Joyce" <[EMAIL PROTECTED]> > one of my clients whom we host a website for has expressed interest in > writing their own php/mySQL applications for their site. > > i've been looking in to the security implications of offering this service. > My concerns are that the client *could* use a php script to access parts of > the file system, registry (this is a Win32 environment), or other such > things.
What web server are you going to use? Either way, PHP runs as a specific user (IUSR_<computer_name> with IIS, for example). This user shouldn't be able to access anything in the filesystem except what's in the webroot (ensure this is true for your machine). This assumes an NTFS filesystem, btw. In order to protect things under the webroot, that's where safe_mode, openbasedir, etc, come into play as explained in the article you linked to. You're right to be concerned, but it can be done safely. In addition to all of the above, get something IN WRITING stipulating what the user is allowed to do, terms of service, etc. That way if you catch them doing something, you'll be safe legally to go after them. IANAL ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
