Just have a bit of an issue that I've discovered and am looking for some advice. My apologies as well if this isn't the best forum for this question as I wasn't entirely sure.

I have a few directories off of my main domain (like mysite.com/pictures, mysite.com/data, etc). I created a few FTP accounts via my Cpanel that point directory to these individual directories, and the FTP accounts themselves are not able to access any other locations on the server. A few people hold on to these FTP accounts to manage their respective directories.

However, what I've found is a rather potential security hole that someone could simply use their personal directory to run a php command using a relative file path like: unlink('../index.php') or rename('../index.php','../something_else.php') that could easily effect any file on the entire server.

So I was just curious, would there be any way to somehow prevent php commands from jumping out of one directory into others? Or even if I used a password protected php file upload system instead of giving out FTP accounts, would there be any way to verify that no php commands could effect files outside of that directory?

Any advice or alternative solutions would be much appreciated, thanks!

[edited by: SomePerson6 at 1:28 am (utc) on June 28, 2009]