Seems like Windows and PHP are kind of difficult to setup to prevent someone using PHP to read and write from other directories. If i was going to provide hosting to users and put them all in a directory such as "C:/users". If i had apache running as user "apache", what permissions would i have to give all the folders on the server. Also, with PHP, how could i prevent people from executing files, scripts, not in there folder(Say "C:/users/js1" as an example). If i put safe mode on, and used open_basedir, you would have to specify a folder but if FTP only gives them access to their specific folder, none of their files would go into the folder used for executing files. So, i really dont understand how open_basedir works. I could also disable php functions to prevent exploits, but how could i only apply the disabled functions to for example just "C:/users". If apache runs as user "apache", then does PHP also run as user "apache". If this was going to be a shared hosting, then all the users would be using the user "apache", so what permissions would i give to the "C:/users" folder and would it be a security risk to leave the everyone permission on there. I dont see why, because it would be running as "apache" and you could set the everyone account to the same permissions i would give to apache. Also, I dont see how there could be a possible way to allow each specific hosting user to only access their own directory because the files are transferred through FTP and there is only one user that apache and php use. So what is the safest method using the one account of apache and php, to prevent access to other folders on the server for each user. Also, how would i allow myself to use all functions, but make the "C:/users" directory be limited regarding PHP functions and restrictions? In addition, if .htaccess files were allowed, how could i prevent people from putting code in to exploit the server, or disabling/enabling php settings/functions?
