A few people told me that subdomains i give out allowing them ot upload PHP script could be a risk, that they would be able to delete all my files or something.

Is this true?

first of you can only allow uploads and only in one folder, they will not have access to any other folder above that one. There are also upload scripts that have filetype checking and other security features to ensure the files being uploaded are not malicious. check out http://hotscripts.com (http://hotscripts.com)for scripts

Short answer: YES.

If you give someone the ability to upload PHP scripts, cgi executables, etc to a subdomain, then they can use their web browser to execute that script and it could do such things as delete files.

Since your sub domains are just folders off of your main account there is no real seperation of them. FTP accounts can limit users to a specific folder that they are allowed to access, but if that folder has execute capability then they can send up a script and then execute it.

Consider this following example. IF you take this code, put it into a text file named test.php. Then upload it to your subdomain directory. Next go to your web browser and visit http://subdomain.com/test.php. A directory of your main accounts files should be displayed.

Think what would happen if those that you gave access to, added the unlink command (which is a php delete file statement) to the code?

Your best bet would probably be to limit ftp access to a directory that did not have execute ability or use on of these uploader scripts that allows you to define what types of files can be uploaded.

-----

<html>
<body>
<?php
$xPath=$_SERVER["DOCUMENT_ROOT"];
$x=strrpos($xPath,"/");
$xPath=substr($xPath,0,$x);

$dh=opendir($xPath);
while (false !== ($fn=readdir($dh)))
{
echo "$fn<br>";
}
closedir($dh);
?>
</body>
</html>


----

So, any good solution?
How can I prevent to run scripts from specifics subdirectory?
This is seriouss security risk :(