Welcome, Guest. [ Log In ]
Question   PHP Security
Search KBase

Top 5 in this Area:
1. What's the difference between PHP-CGI and PHP as an Apache module?
2. PHP Security
3. Compiling your own custom PHP
4. Can I run a phpbb forum (message board) on my site?
5. Do you support this PHP module or extension?

PHP Security

If you are having trouble with PHP commands like backticks (``), system(), exec(), passthru(), and others that spawn external commands, or are having trouble with errors like:

open_basedir Restrictions in effect, file is in wrong directory

Then you're running PHP as an Apache module and you've written a script that doesn't quite conform to our security standards.

We implement strict security for PHP scripts run by Apache, because otherwise, none of our users would be able to sufficiently secure sensitive information (like Database passwords)!

If PHP is running as part of Apache, it runs as Apache's user and group. This differs from CGI scripts, which, because they run as a separate process outside Apache, run as the owner's user and group.

To protect your PHP scripts, we've disallowed all PHP functions that would let one user possibly open another user's script (and see sensitive stuff like passwords). Our restrictions work in two parts:


open_basedir restrictions prevent any of PHP's file opening commands from working on any files outside of /home/youruser. Files BELOW that directory WILL WORK:

/home/youruser/phpstuff/some/more/dirs/file.info IS OK! PHP CAN OPEN IT!

If you need to open files in another user's home directory (assuming both are under you account, of course!) contact TS and they will happily make an exception for you.

NOTE: There have been some strange bugs that appeared with respect to open_basedir. Sometimes files that ARE in your home directory trigger an open_basedir error when they really shouln't. Notify support when this happens.


We have disabled the backticks operator (``), system(), exec(), passthru(), and dl() because all of these functions could be used to run naughty external processes as Apache's user.

If you need to use these functions, we have provided a second PHP system, PHP-CGI, which runs all your PHP scripts as if they were CGI's, so they run as your user and group. There are no restrictions on these scripts (not even open_basedir restrictions).

Here's how to switch to running PHP-CGI.

If you're using sessions, you'll have to delete your cookie and get a new one. Once the script is running as YOUR user, the session files Apache created in /tmp won't be readable (since your user can't read /tmp files created by Apache's user). If you delete your cookie and start a new session and all is well!

Contact support if you have any questions!

Last updated: Jan 23, 2004.

User Post (2005-01-15 09:49:11 by pjt)
I'm running a php access script to query a MySQL database that includes USERNAME, PASSWORD, and DATABASE. Where should I store this file so this information remains secure and what is the path? Thanks.
User Post (2004-08-02 12:10:46 by organise)
I got textpattern http://www.textpattern.com/ to work while running php as an apache module but the image upload was giving me open_basedir errors. So I switched to run PHP as CGI and the image upload works perfectly.
User Post (2004-07-05 12:32:03 by holliboyd)
anyone use comdev one admin suite photo gallery? i am trying to get that to work ... changed to run php as cgi via web panel. still getting open base dir restrictions. do i need to change all extensions to .pcgi? do i need to rewrite so no exec() commands are included?
User Post (2004-06-17 00:58:20 by cliffclof)
---------O L D U S E R S-----------

Check your 'Run PHP as CGI' checkbox.

Mine was unchecked cause I've been a member for a while. whew
User Post (2004-04-06 11:05:12 by randomcaring)
Huzzah. Thanks guys, I finally got an image to upload. I had to do the "run as CGI" thing and then name the script I wrote .pcgi

Only thing is my php editor now won't do syntax highlighting since it's named .pcgi. Gotta fix that. ;/
User Post (2004-03-14 18:29:59 by protohiro)
draknek, thank you! my god this was driving me insane. people who want to know, the following code will actually handle an uploaded file on dreamhost:

$root = realpath($_SERVER['DOCUMENT_ROOT']);
$uploaddir = $root.'/stuff/';
$uploadfile = $uploaddir . $_FILES['userfile']['name'];
echo ($uploadfile);

print "<pre>";
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
print "File is valid, and was successfully uploaded. ";
print "Here's some more debugging info:\n";
} else {
print "Possible file upload attack! Here's some debugging info:\n";
User Post (2004-03-06 18:08:02 by draknek)
When using absolute paths, use realpath($_SERVER['DOCUMENT_ROOT']) to get a path to your root web directory (eg. /home/youruser/yourdomain ) that will always work.

It's taken me over a year to work this out, so I hope others will find it useful.
User Post (2003-12-09 06:54:48 by lpigott)
Well, I can get Coppermine to upload a picture, but I have to bypass creating a thumbnail and also resizing the picture (for a larger picture). I have to comment out three commands in one script. The commands are exec(), chmod(), and getimagesize. I have included a .htaccess file with AddType php-cgi .php as the only command in it in every directory above and including the one with the offending script.

The path to Image Magick has been defined as /usr/bin/. Allowed image types are JPG/GIF/PNG/TIFF/jpg (I added the last because I wasn't sure whether case made a difference. The config file for Coppermine also includes -antialias as a command line options for ImagMagick. And it is set not to read EXIF data in JPEG files.
User Post (2003-12-08 11:35:11 by lpigott)
Does anyone use ImageMagic with Coppermine (v.1.2.0)? I have just installed Coppermine and it didn't like the path to ImageMagic convert (/usr/bin/). I finally got it installed by deleting the path altogether. But I can't upload a picture. It can't create a thumbnail.
User Post (2003-11-25 07:34:20 by pikkle)
I noticed after using a .pcgi to copy files and make directories, the web browser could not get to those files. I had to chmod($file) to fix it...
User Post (2003-08-31 17:00:37 by alohahouse)
<p>re: dasil003 and file_exists problems</p>

<p>if you use realpath() around your filenames it will prevent the errors when using file_exists on files that don't exist. see the comments on http://ca3.php.net/file_exists for a discussion.</p>
User Post (2003-07-18 13:05:25 by dasil003)
<b>Re: Strange open_basedir bugs</b>: Have you noticed that /home/username is actually a softlink to /home/.weirddirname/username? Well, a little experimentation showed that open_basedir warnings get raised if you use the short (ie. intended) path in a file function <i>where the file doesn't exist</i>. This is particularly annoying with functions such as is_file() or file_exists() where the whole point of the function is to see whether the file exists. Since the actual directories that your home directory soft link to appear subject to change, this presents a unique challenge. Alas Apache in no way dereferences paths, so there are no $_SERVER variables which reflect this hidden directory except for the open_basedir restriction itself. Mangling that may be the only solution to get a reliable path.
User Post (2003-07-02 23:27:17 by atacama)
If you run into these error messages while trying to install Gallery, check out my notes at http://www.wombatnation.com/misc/installGalleryDreamHost.html
User Post (2003-05-25 17:07:10 by jdatema)
I had problems using the Andromeda script until I renamed it .pcgi. Happy listening ensues....
User Post (2003-05-07 12:20:43 by brente)
bb_wannabe's instructions worked for me. TIP: if you cannot get it to save a config, create a .htaccess above your gallery DIR and set it also to "AddType php-cgi .php". this worked for me. then follow was instructed.

one thing that did get me was that my .htaccess file was invisible and my FTP program didn't show it. go to your apps prefs and find a "show invisible files" feature. turn that on and whammo, there it is. then you just edit that badboy as instructed above and you are ready to go. good luck.
User Post (2003-02-22 22:16:30 by liyet)
holliboyd, you need to set permissions to 755 instead of 777--see index.cgi?area=144
User Post (2003-02-17 13:37:53 by docrock)
I am having troubles with magic quotes causing problems with geeklog 1.3.7sr. How do i make a .htaccess file to accept magicq uotes off?
this did not work:
<p> php_value magic_quotes_gpc off


This would work if i could set them in php.ini:<p>
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of ').
magic_quotes_sybase = Off

<p> Please advise.
User Post (2003-01-29 19:36:18 by holliboyd)
I am having problems with a script that creates directories (php). I remember seeing something about not allowing full 777 access when signing up and now I cant find it. Anybody know anything about it? Thanks!
User Post (2003-01-26 21:10:40 by gsteinmon)
I had a little trouble running Gallery both on it's own and with postnuke. Here is what worked for me:

After finishing the Gallery setup script and saving my settings, I ran secure.sh.

I then added "AddType php-cgi .php" line to the .htaccess file within the main directory. Then I created an .htaccess file in the "platform" sub-directory with the only line of text being "AddType php-cgi .php".

I also needed to add an .htaccess file into the main postnuke directory with the "AddType php-cgi .php " line.

That seemed to work for me.
User Post (2003-01-24 17:26:15 by ciaobox)
OK. This is a bit confusing so I would appreciate if someone can help. I had already installed Gallery and got almost everything working before I found this post. Everything works except the upload. So at this stage, I added AddType php-cgi .php about 5 lines down on .htaccess in the gallery directory. What else do I have to do? Do I have to rename all the php files .pcgi? Just the add_photos file?

Please advise. Thanks!
User Post (2003-01-17 10:10:56 by jayeshsheth)
I tried everything in order to make uploads through PHP work, until I found this:

This contains two files:



The Form.php code is included in the HTML_Form_test.php file. As I understand it, the Form.php code is from the PEAR project's code repository.

In order to make your uploads works with Dreamhost, first rename HTML_Form_test.php to HTML_Form_test.pcgi , since this tells Dreamhost's server to process it differently (and thus allow it to upload files, which normally isn't).

Then in HTML_Form_test.php change



and upload these files to a folder on your site.

Then go to www.your_domain_name.com/your_upload_folder/HTML_Form_test.pcgi
and try to upload a file. It should work.
User Post (2003-01-12 12:28:55 by mlent)
OK. "Gallery" is also up and running for me. It is simpler than it looks. Follow all the installation steps indicated in "Gallery". When you are done with that (you will get a screen saying START GALLERY or something like that) add the AddType php-cgi .php line on the .htaccess file located in the GALLERY directory BEFORE you run Gallery for the first time. TRICKY PART: if you get error messages remember to QUIT and RESTART your browser before testing it. This will clear the session marked by a temporary cookie that Gallery stores. This thing got me going for quite a while.
User Post (2002-11-19 21:42:04 by bb_wannabe)
I just got "Gallery" (http://gallery.menalto.com/) to work. The key thing is just after you have finished configuring (you get the screen that your config is OK to save) that you add a line to the brand new .htaccess file with AddType php-cgi .php. There will not be an .htaccess file in the gallery directory until you save your config. If you do this and then run sh secure.sh you should be able to go to your gallery site (e.g. http://www.your-space.net/gallery) and be able to upload to your hearts content. The only other "bug" I've noticed is with the netnpm binaries. You need to copy the ppmtojpeg to a new pnmtojpeg. This is referenced in the Gallery bug list and FAQs. Happy digital imaging...
User Post (2002-09-24 12:23:59 by skidz)
I'm trying to use "Gallery" and I can't get it to work. I can't rename the files as pcgi files because then the authentication doesn't work. But I can't run it as php because then the gallery can't call the executable that creates thumbnails for me!
User Post (2002-09-08 15:03:26 by oitnews)
If you are trying to upload files via PHP, you pretty much have to use .pcgi. I recommend having a page that does only file uploading and nothing else (as file uploads have to be a different encoding type anyway.) Then use the move_uploaded_file to move it into a directory that your regular PHP scripts can handle. Good luck. And don't forget to increase that MAX_FILE_SIZE form, or bad things (tm) can happen.
User Post (2002-09-06 11:47:58 by melist)
I'm developing a web application on my own Dreamhost server, but my client is hosted somewhere else. When I try to use the .htaccess file: "AddType php-cgi .php" on my client's server, it stops processing the code as PHP, and just shows the document in plain text. You can actually read the code through the browser! (not good!) Of coarse this is not a problem when I use this .htaccess file on Dreamhost.

I would imagine that the "php-cgi" portion of this AddType is specific to Dreamhost.com. Could you verify that? And if it is Dreamhost specific, could you explain an alternative that should work on other php servers as well as on the Dreamhost server?

Here's what I'm up against...

When a new user signs up, they need to create a username folder to save their personal images on the server. Since the folder does not exist until the new member signs up, its impossible to set the attributes for each image file beforehand. I need PHP to be able to run in CGI mode so that it can write files that do not already exist.

I need this .htaccess file to be portable! I can't tell all of my clients that I can only do their work if they are willing to transfer their services to Dreamhost. There must be a way to set this so that it works on other host servers as well.
User Post (2002-08-26 03:57:57 by demont)
Filesystem functions (fopen(), etc) are also disabled in the php as Apache module, and we can only use it in .pcgi files.
Unfortunately I suppose some functions (http authentication) are only availables in the .php files...