(1) In PHP there is now a very easy mechanism to disable the capabilityto file-write. This is a great idea especially if your site is entirely database-driven, inwhich case you don’t have any legitimate need to write to the filesystem with PHP anyway.To disable file writing, simply add fwrite to the list of disabled functions in php.ini:
disabled_functions = “fwrite”
If you don’t use php.ini and need to set this value in Apache httpd.conf, remember that it requires a php_admin_value flag (rather than php_value):
(2) Many of functions related to file operations are dangerous. Because they duplicate functions that can and should be performed from the local system, they can be a cracker’s bonanza without providing much value to legitimate users. Strongly consider disabling them using PHP’s disable_functions directive!