I have tons of extra disk space and bandwidth on my sever, and would like to allow some FTP space (which would be in a web-accessible directory) for my users. However, I'm afraid that doing so could pose a threat to security, since it would be fairly easy to write a script that would display the contents of a .php configuration file in the parent directory, which holds the passwords that my software uses to access the SQL tables.

I've been looking for a way to isolate a directory so that a script could not access any parent directories, or at least prevent the execution of scripts.

Since the server is shared, I do not have direct control over it; only CPanel and htaccess methods. So I've mainly been hoping there's a way to accomplish this with htaccess files.

I know I could use a web-based file management system, which would rename all files to a harmless extension, but I'd much rather stick with FTP.

If you used something to rename your files to some harmless extension, that would break your system. Say if someone wants to upload a jpeg so they can use it as a forum signature. Or really, people want to upload a particular type of file for any reason. So that method is out.

With cpanel, can you set up password protected subdirectories?

Quote:

Originally Posted by Learning Newbie

With cpanel, can you set up password protected subdirectories?

Yes, I have the option, but don't think password protecting the directory would isolate it from parent directories, and a script running on the server could probably bypass those restrictions.

.htaccess in the folder you want to stop scripting on

Code:

RewriteEngine On
RewriteRule \.(php|php3)$ /noscript.html [L]

should redirect all requests for .php files to noscript.htm