In any programming language a number of trade-offs have invariably been made, but it is the sacrifice of security for power is generally the one that incites most discussion. Put simply, if PHP is configured to operate in a trusting manner, users with access to it can abuse the system in any number of ways. Whether it is writing scripts that chew up enormous amounts of CPU times, or perhaps access files that are not theirs, or maybe even using it as a diving board into a denial of service attack - the possibilities are endless. If you find a user on your server who has scripts that are taking up enormous amounts of resources, it is smart to keep in mind Hanlon's razor: "Never attribute to malice that which is adequately explained by stupidity". That is, your user might just be a bit clueless and need pointing in the right direction - why not tell them to read this book? </CHEAP_PLUG>
In a web-hosting environment, there are three distinct situations: users have a shared server, they have a virtual private server (aka, a virtual server) or they have a dedicated server.
When users have a dedicated server, web host sys admins are not likely to care how lax the owners set their servers to be, because, after all, if they write scripts to chew up 100% of the CPU time, it affects no one else. However, when PHP is running on a shared server or a poorly configured virtual server, a great deal of care needs to be taken to ensure that access to it cannot be abused.
Copyright ©2015 Paul Hudson. Follow me: @twostraws.