If your application must operate on the filesystem, you can set the open_basedir
option to further secure the application by restricting access to a specific directory.If
open_basedir is set in php.ini, PHP limits filesystem and I/O functions so that they
can operate only within that directory or any of its subdirectories. For example:
open_basedir = /some/path
With this configuration in effect, the following function calls succeed:
unlink("/some/path/unwanted.exe");
include("/some/path/less/travelled.inc");
But these generate runtime errors:
$fp = fopen ("/some/other/file.exe", "r");
$dp = opendir("/some/path/../other/file.exe");
Of course, one web server can run many applications, and each application typically
stores files in its own directory.You can configure open_basedir on a per-virtual host
basis in your httpd.conf file like this:
<VirtualHost 1.2.3.4>
ServerName domainA.com
DocumentRoot /web/sites/domainA
php_admin_value open_basedir /web/sites/domainA
</VirtualHost>
Similarly, you can configure it per directory or per URL in httpd.conf:
# by directory
<Directory /home/httpd/html/app1>
php_admin_value open_basedir /home/httpd/html/app1
</Directory>
# by URL
<Location /app2>
php_admin_value open_basedir /home/httpd/html/app2
</Location>
The open_basedir directory can be set only in the httpd.conf file, not in .htaccess files, and you must use php_admin_value to set it.
option to further secure the application by restricting access to a specific directory.If
open_basedir is set in php.ini, PHP limits filesystem and I/O functions so that they
can operate only within that directory or any of its subdirectories. For example:
open_basedir = /some/path
With this configuration in effect, the following function calls succeed:
unlink("/some/path/unwanted.exe");
include("/some/path/less/travelled.inc");
But these generate runtime errors:
$fp = fopen ("/some/other/file.exe", "r");
$dp = opendir("/some/path/../other/file.exe");
Of course, one web server can run many applications, and each application typically
stores files in its own directory.You can configure open_basedir on a per-virtual host
basis in your httpd.conf file like this:
<VirtualHost 1.2.3.4>
ServerName domainA.com
DocumentRoot /web/sites/domainA
php_admin_value open_basedir /web/sites/domainA
</VirtualHost>
Similarly, you can configure it per directory or per URL in httpd.conf:
# by directory
<Directory /home/httpd/html/app1>
php_admin_value open_basedir /home/httpd/html/app1
</Directory>
# by URL
<Location /app2>
php_admin_value open_basedir /home/httpd/html/app2
</Location>
The open_basedir directory can be set only in the httpd.conf file, not in .htaccess files, and you must use php_admin_value to set it.
