Source of: /manual/en/security.cgi-bin.shell.php
<?php
include_once $_SERVER['DOCUMENT_ROOT'] . '/include/shared-manual.inc';
$TOC = array();
$PARENTS = array();
include_once dirname(__FILE__) ."/toc/security.cgi-bin.inc";
$setup = array (
'home' =>
array (
0 => 'index.php',
1 => 'PHP Manual',
),
'head' =>
array (
0 => 'UTF-8',
1 => 'en',
),
'this' =>
array (
0 => 'security.cgi-bin.shell.php',
1 => 'Case 4: PHP parser outside of web tree',
),
'up' =>
array (
0 => 'security.cgi-bin.php',
1 => 'Installed as CGI binary',
),
'prev' =>
array (
0 => 'security.cgi-bin.doc-root.php',
1 => 'Case 3: setting doc_root or user_dir',
),
'next' =>
array (
0 => 'security.apache.php',
1 => 'Installed as an Apache module',
),
);
$setup["toc"] = $TOC;
$setup["parents"] = $PARENTS;
manual_setup($setup);
manual_header();
?>
<div id="security.cgi-bin.shell" class="sect1">
<h2 class="title">Case 4: PHP parser outside of web tree</h2>
<p class="para">
A very secure option is to put the PHP parser binary somewhere
outside of the web tree of files. In <var class="filename">/usr/local/bin</var>, for example. The only real
downside to this option is that you will now have to put a line
similar to:
</p><div class="informalexample">
<div class="example-contents programlisting">
<div class="cdata"><pre>
#!/usr/local/bin/php
</pre></div>
</div>
</div><p>
as the first line of any file containing PHP tags. You will also
need to make the file executable. That is, treat it exactly as
you would treat any other CGI script written in Perl or sh or any
other common scripting language which uses the
<i>#!</i> shell-escape mechanism for launching
itself.
</p>
<p class="para">
To get PHP to handle <span class="envar">PATH_INFO</span> and
<span class="envar">PATH_TRANSLATED</span> information correctly with this
setup, the PHP parser should be compiled with the <a href="configure.about.php#configure.enable-discard-path" class="link">--enable-discard-path</a>
configure option.
</p>
</div><?php manual_footer(); ?>
