Are there any security experts here that can address this issue? I see that it is a good idea to disable ini_set (in the server php.ini file) because this can be used to circumvent some php security settings, etc. BUT, ini_set is required by many script packages out there, Open Source and otherwise. SO, I would like to enable ini_set just for those accounts that need them... BUT, to do this I would need to allow custom php.ini files which would only get me back to "square one" with regard to further securing php on the server, (i.e. if we allow custom php.ini files in each account, then users could once again circumvent php security.) This is a catch 22 for which there seems to be no resolution. Of have I missed something here? Anyone?