It seemed like a good fit. The site owner needed an immediate solution. His site had to be moved within hours but it was a small, low traffic site. We found a host with a great reputation for speed and reliability with a very low priced starter package for low bandwidth accounts. I searched for an hour and found not one negative comment about them, and when we moved the site it I was immediatly impressed by the speed. FTP connections were instantaneous. All seemed well.
Until I finally got a chance to run phpinfo() and found out the server was NOT in safe mode. With alarm bells ringing I threw together a script and went for a little walk around the neighborhood. Not one door was locked for reading. CHMOD seems to be disabled, which might slow down the tampering, but does nothing to help me. Without the ability to protect my files from prying eyes, there is no way I can store passwords on the server so any database or FTP solution seems to be OUT.
Since any stored data is not high risk, I am considering a file based storage system with its own password protection which would at least secure it from casual passer-by's but I sure would like to come up with a better solution, At the moment I am emailing the data which will hold us for now. Leaving a data file write enabled gives me the heebie-jeebies and is just asking the script kiddies to play.
Has anybody ever dealt with this problem? Is there ANY reason a shared server might want to NOT run in safe mode? If they do need to allow such permissions to the general population, is there anything the host can do to protect their users? Is there anything a user can do to protect themself? Is there any way I can use .htaccess to help?
I am a bit shocked a server with a good reputation would have such a callous disregard. It seems there should be a warning on the signup page or something. My emails to the host have not been answered at all.
I am, of course, aware of the obvious solution if I cannot find an acceptable work around.
