Posted by Tim Hunt on 11/08/06 16:27

TJ wrote:
> Hello All,
>
> We have a client who is providing Web Hosting Solutions. One of the
> features include PHP Scripting.
> For security reasons, we have disabled some PHP Functions including
> 'ini_set'. Some end customers actually want this function to be
> enabled.
>
> We have analyzed the list of directives which are available via
> 'ini_set' (PHP_INI_ALL). Refer: http://in.php.net/manual/en/ini.php
>
> For us, this is a critical decision to make as some of the
> configuration like memory_limit can be misused by customers.
>
> We are using PHP v4.4.0 (ISAPI based) on Windows Server 2003 (IIS 6.0).
> Also, PHP is running under 'Safe Mode' hence max_execution_time cannot
> be overridden with ini_set.
>
> Questions:
> 1. Can we disable some critical PHP Directives (changeable as
> PHP_INI_ALL) so that even with 'ini_set', user cannot override them? If
> yes, how?
> 2. Is there any other way of securing the web server with ini_set
> enabled?
>

Try this.

http://www.webhosting.net/forum/archive/index.php?t-139.html

It says you can set php config values in the windows registry which
have the same effect as php_admin_flag and php_admin_value do on
apache.

Its referred to in in the manual but not as clearly.
http://www.php.net/manual/en/configuration.changes.php
The windows section says it works with some ini settings but not others
and it doesn't really say whether they can be overridden by the user or
not.

[Back to original message]