As far as I know, mod_php can be configured either by means of php.ini or .htaccess files while, for CGI, .htaccess files cannot be used.
Does the fact that mod_php can use .htaccess files makes it more insecure with respect to CGI?
Answer
Your base assumption is wrong, as PHP in a CGI can scan per-directory .ini
files.
Both features can be turned off, either with not seting
AllowOverride Options
in your Apache config or with setting
user_ini.filename = # empty value!
in your global PHP config.
So, in summary, both are similarly safe or unsafe. That said, I wouldn’t say that even if only .htaccess
was possible, it would be more unsafe, as there is a restricted set of options you can set in either .htaccess
or per-dir .ini
files anyway, for security purposes.
Attribution
Source : Link , Question Author : Simus , Answer Author : Sven