<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Case 4: PHP parser outside of web tree</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="security.cgi-bin.doc-root.html">Case 3: setting doc_root or user_dir</a></div> <div class="next" style="text-align: right; float: right;"><a href="security.apache.html">Installed as an Apache module</a></div> <div class="up"><a href="security.cgi-bin.html">Installed as CGI binary</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="security.cgi-bin.shell" class="sect1"> <h2 class="title">Case 4: PHP parser outside of web tree</h2> <p class="para"> A very secure option is to put the PHP parser binary somewhere outside of the web tree of files. In <var class="filename">/usr/local/bin</var>, for example. The only real downside to this option is that you will now have to put a line similar to: <div class="informalexample"> <div class="example-contents"> <div class="cdata"><pre> #!/usr/local/bin/php </pre></div> </div> </div> as the first line of any file containing PHP tags. You will also need to make the file executable. That is, treat it exactly as you would treat any other CGI script written in Perl or sh or any other common scripting language which uses the <em>#!</em> shell-escape mechanism for launching itself. </p> <p class="para"> To get PHP to handle <span class="envar">PATH_INFO</span> and <span class="envar">PATH_TRANSLATED</span> information correctly with this setup, the PHP parser should be compiled with the <a href="configure.about.html#configure.enable-discard-path" class="link">--enable-discard-path</a> configure option. </p> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="security.cgi-bin.doc-root.html">Case 3: setting doc_root or user_dir</a></div> <div class="next" style="text-align: right; float: right;"><a href="security.apache.html">Installed as an Apache module</a></div> <div class="up"><a href="security.cgi-bin.html">Installed as CGI binary</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>