--- Ben Joyce <[EMAIL PROTECTED]> wrote: > one of my clients whom we host a website for has expressed interest > in writing their own php/mySQL applications for their site. > > i've been looking in to the security implications of offering this > service.
How are you not offering it now? Can the client not write CGI scripts, PHP, or anything like that now? So, only static content? > My concerns are that the client *could* use a php script to access > parts of the file system, registry (this is a Win32 environment), or > other such things. Not to be cute, but Windows isn't fundamentally a multi-user operating system. I doubt offering PHP services is going to affect your server security more than your choice of operating system already has. You can restrict what PHP can do with things like safe_mode, but it is very important to realize that this only affects scripts written in PHP. It doesn't protect your environment; it only takes PHP out of the picture. Security Corner is the latest issue of php|architect (http://www.phparch.com/issue.php?mid=26) discusses the issue of shared hosting in more detail. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
