php security question
Is there a way to disable custom php.ini files. So the users won't be able to set their own php.ini and overwrite the main php.ini config file ?
I installed php as cgi script with phpsuexec and I set up the php.ini file in /usr/local/lib/php.ini
I disabled the feature display_errors as it might reveal some information.
But any user can set its own php.ini file in his web root directory and totaly overwrite the main php.ini file.
So it makes no reason to set the main php.ini file as it can be overwritten by a local php.ini file.
One of things that came to my mind is I can set a php.ini file in users doc root directory and change their permission to non readable by anyone, then the php.ini is being read from the correct place.
but I don't think that this is a right solution . There must be some thing more elegant. I failed to find any information about this on google.
Any help will be highly appritiated.
And sorry for not using spellchecker
