> Where should I look for resources related to locking down the > security of > PHP? In particular can I specify directories that PHP will > allow scripts to > execute? For instance can i specify that d:\domains\domain1 > can have access > but not d:\domains\domain2 ? This sure would be an awesome > feature if there > is such a feature.
Yes. Under IIS php runs as the user IUSR_[machinename], so if that user does not have modify permissions on d:\domains\domain2 it won't be allowed to modify files there. It's exactly as secure as Windows is :| Not completely sure about Apache/Windows, but it's the same principle, and you can control _web_ access within you DocumentRoot with .htaccess files. Sounds like you should be checking out the safe_mode stuff in php.ini too. Matt
