I'm just curious if there's a way to disable things like shell_exec() using the .htaccess file or something, not globally, but only for specific subdomains or directories (possibly disable fopen() on files above the subdir). It occurred to me that on one of my shared hosts where I'm sharing subdomain space with a friend he could use PHP to get a look at directories outside his own.

Perhaps I could use mod_rewrite and send any hit anywhere through a PHP script that disables certain things before forwarding the request to where it was going? Would this work, and would it incur a significant performance penalty?

You can do it programmatically:

ini_set('disable_functions', 'fopen,shell_exec');

or in .htaccess:

php_value disable_functions fopen,shell_exec

There shouldn't be any performance degradation. I doubt you'll be changing the settings repeatedly inside a for(), while() or foreach() loop.

You can do this with a .htaccess file:

http://www.askapache.com/php/custom-phpini-tips-and-tricks.html#m0-askapache12

I believe those things need to be changed in the php.ini file. Some host allow you to have multiple php.ini files within the files structure. If you are on a shared hosting environment then you probably will have one php.ini file for all shared accounts. Host realize this is a problem so they allow you to have your own within your home directory for sub directory... check with your host.