Hosting Security

How can I make a secure hosting with PHP ?
So, whats the problem ?
mod_php executes with apache's permissions
(usualy apache.apache or nobody.nobody)
and everybody can see scripts and datas of other
users. Suexec doesn't solve the problem, because
suexec works only with CGI scripts.

Face it, that's the way PHP as a module is.

That isn't true. Not really

There is a simple method but requires the help of your ISP (And their time).

The only way to do it (AFAIK) is as follows (Well mostly your ISP):-
what you have to do is remove your entry for the virtual host entry (In httpd.conf).

Put this into a file that is only readable by the user, within the VirtualHost directive put :-

<Directory /home/username/web>
SetEnv MYSQLPWD secret_pwd
</Directory>

Now chmod and chown the file then include it in httpd.conf using the Include statement

Now in your PHP scripts you use $pwd=getenv("MYSQLPWD");
$pwd then equals secret_pwd;

Make sure you don't use phpinfo in that directory or you will show the whole world your password.

It works as we have used it many times. Good luck with this method! You will need an accommodating host and I would suspect they might charge a little for their time but lets face it its much better this way then the standard free for all.


Regards
Darren Casey