Home arrow PHP arrow Page 4 - Professional PHP Programming

Securing your PHP Installation - PHP

This is the first item in our Book Samples/Reviews section! This excerpt from Wrox Press Ltd.'s Professional PHP Programming covers Chapter 20 - Security. It shows you how to increase the security of your web site, not just by writing safe PHP scripts but also by configuring your webserver correctly. Buy it on Amazon.com now!

  1. Professional PHP Programming
  2. Contents
  3. The Importance of Security
  4. Securing your PHP Installation
  5. User Identification and Authentication
  6. Using Cryptography
  7. Secure transactions using SSL
  8. Installing a Private Key
  9. Creating Secure PHP Scripts
By: Dev Shed
Rating: starstarstarstarstar / 30
April 13, 2000

print this article


Securing the module and the CGI version of PHP differs somewhat. Most options apply to both the module and the CGI version, but there are some that are only applicable to the CGI version of PHP. I will first discuss the options both installations have in common and then the CGI specific options.

Common Configuration Options
auto_prepend_file string
This configuration option is very handy for automating common tasks, such as connecting to databases; authenticating users or declaring often used functions. Chapter 22 (Templates) has more information on the use of this option.

doc_root string
This configuration option is only used when PHP is running in safe mode. When safe mode is in effect, PHP will not parse files outside this directory.

engine boolean
With this option you can turn parsing of PHP scripts by the PHP module on or off on a per-directory or per-virtual host basis. You could combine this with Apache’s AddHandler/Action directives to execute some scripts with the module and other scripts with the CGI version. The CGI version could be running under the suEXEC mechanism. More information on Apache’s suEXEC mechanism can be found later in this chapter.

If you turn parsing of PHP scripts by the module off for a directory that contains PHP scripts, please make sure that access to the scripts is disallowed or that the CGI version will parse these scripts. If you don’t, the source of the scripts will be sent to the browser. If the source contains passwords, this can become major problem. It is better to be safe than sorry, so check the contents of a directory before you turn the parsing of scripts off.

gpc_order string
Set the order in which GET, POST and COOKIE data is parsed. For instance, if you set this to “PG”, POST data will be parsed before GET data, so the GET data will override the data that resulted from the POST and cookies will not be parsed. The default is “GPC”.

include_path string
Specifies a list of directories where functions such as require, include and fopen will look for files. The format is like the system’s PATH environment variable. In UNIX you use a colon to separate multiple directories, while in Windows you use a semicolon.

In UNIX you would use:

include_path = .:/websites/common:/websites/car2001
In Windows you would use:

include_path = .;c:\websites\common;d:\websites\car2001
open_basedir string
With the use of the open_basedir option you can limit which files can be opened from PHP scripts.

When a script tries to open a file with, for example, fopen or gzopen, the location of the file is checked. When the file is outside the specified directory tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to bypass this restriction with a symbolic link.

If you use a single dot, PHP will only open files in the directory the script is stored or any directory below it. You can specify multiple directories, just like you can with include_path.

The default is to allow all files to be opened.

max_execution_time integer
This allows you to specify the maximum number of seconds a script is allowed to execute. If a script takes longer, the PHP parser terminates it. When not in safe mode, you can use the set_time_limit function to change this setting from a running script. For example, if the script has been running for 10 seconds and the set_time_limit function is called with a value of 30, the script will be allowed to run 40 seconds. Note that the amount of CPU time consumed is not taken into account. Even if the script does nothing for 40 seconds PHP still terminates it.

By default, a script is allowed to run 30 seconds. If you set the time limit to zero, either using this option or the set_time_limit function, no time limit is imposed on the script.

memory_limit integer
With the memory_limit option you can limit the amount of memory (in bytes) a script can use. You can only use memory limits if you have compiled PHP with support for it. In contrast to a time limit, you cannot change the amount of memory a script can use from the script itself. It can only be done from the PHP configuration file.

memory_limit = 204800 # Let the scripts use up to 200 KB of memory

safe_mode boolean
This option turns PHP’s safe mode on or off. When PHP is run in safe mode, PHP will impose several security limitations on scripts.

safe_mode_exec_dir string
When safe mode is in effect, PHP will only allow you to execute programs from the specified directory.

sql.safe_mode boolean
MySQL has it’s own safe mode. If you set this to TRUE, mysql_connect and mysql_pconnect will ignore any host, user and password information you supply. This means you can only connect to the MySQL database as the user the web server is running as.

upload_tmp_dir string
This specifies where PHP should place files that are being uploaded.

user_dir string
This is the directory PHP will look for scripts in a users home directory. Normally you will use the value you have also used for the UserDir directive in the Apache configuration (usually public_html), but you could also use other values. For instance, if you set this to public_html/php, then PHP scripts need to be located in the php subdirectory of public_html in order for PHP to parse them.

Database Specific Options
Most of the database modules have several options that may increase the availability of your application. The two most common options are max_persistent and max_links. Check the documentation of the particular database you are using to see which options are supported.

max_persistent integer
Allows you to set the maximum number of persistent connections a single process can open at any one time. If you set this value to 3 and you have set the number of webservers Apache is allowed to start to 50, you could end up with 150 persistent connections. Please make sure your database can handle this.

max_links integer
Allows you to set the maximum number of database connection a script can have. This includes both normal and persistent database connections. Don’t set this too high, as your database may not be able to handle the sheer volume of connections.

Using Safe Mode
Running PHP in safe mode is a great way of making the use of PHP scripts safer, especially if you allow users to develop and run their own PHP scripts. Turning on safe mode will cause PHP to check a number of this before executing functions that could possibly be a security risk.

Include, ReadFile, Fopen, File, Unlink, RmDir, etc.
The owner of file to be included must either be the same as the owner of the script running or the directory in which the file resides must be owned by this user.

Exec, System, PassThru, etc.
Programs to be executed must reside in a special directory (the default is /usr/local/php/bin). You can set this value before compiling PHP with the --with-exec-dir option.

This function takes an optional username to use to connect to an MySQL database. When in safe mode, this username must either be the username of the owner of the current file being parsed, or the name of the httpd user (usually nobody).

HTTP Authentication
The numerical user id of the owner of the script containing the HTTP Authentication code will be prepended to the authentication realm. This is to prevent someone from writing a password.

©1998 Wrox Press Limited, US and UK.

>>> More PHP Articles          >>> More By Dev Shed

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: