PHP: Case 4: PHP parser outside of web tree

[edit] Last updated: Fri, 28 Jun 2013

Case 4: PHP parser outside of web tree

A very secure option is to put the PHP parser binary somewhere outside of the web tree of files. In /usr/local/bin, for example. The only real downside to this option is that you will now have to put a line similar to:

#!/usr/local/bin/php

as the first line of any file containing PHP tags. You will also need to make the file executable. That is, treat it exactly as you would treat any other CGI script written in Perl or sh or any other common scripting language which uses the #! shell-escape mechanism for launching itself.

To get PHP to handle PATH_INFO and PATH_TRANSLATED information correctly with this setup, the PHP parser should be compiled with the --enable-discard-path configure option.

add a note User Contributed Notes Case 4: PHP parser outside of web tree - [2 notes]

down

mails dot php dot net-notes at gunter dot ohrner dot net ¶

1 year ago


You can invoke the interpreter under Apache 2.2 running in Windows by associating the php file extension with the interpreter binary in the registry:



AddType application/x-httpd-php .php

AddHandler cgi-script .php



In the desired <Directory>-block, configure PHP CGI as follows:



Options +ExecCGI

## Use HKEY_CLASSES_ROOT\.cgi\Shell\ExecCGI\Command

## to determine CGI script interpreter

## ("c:\program files\php-5.2.17\php-cgi.exe").

## This key must be created manually.

ScriptInterpreterSource Registry-Strict



You need to disable cgi.force_redirect in this case, which should be safe from what I understand. You could probably simply use php.exe instead of php-cgi.exe, though I'd like to have this confirmed from someone else.

down

-1

Andras Rokob <rokoba at bolyai dot elte dot hu> ¶

6 years ago


You can avoid the need of using the shell-escaping (#! ...) in all your php scripts if you set the executable bit on them and exploit the binfmt_misc support of the Linux kernels.

add a note