Home arrow PHP arrow Page 3 - Secure PHP Programming

Other Security-Related Configuration Parameters - PHP

Long before a website goes live, you need to take its online security into consideration -- to be ready for the attackers even before they might gain access. This three-part article series will warn you of what to watch out for, particularly when configuring PHP, and help you to secure your website. It is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).

  1. Secure PHP Programming
  2. Configuring PHP Securely
  3. Other Security-Related Configuration Parameters
  4. Hiding Configuration Details
By: Apress Publishing
Rating: starstarstarstarstar / 1
August 12, 2010

print this article



This section introduces several other configuration parameters that play an important role in better securing your PHP installation.

disable_functions = string

Scope: PHP_INI_SYSTEM ; Default value: NULL

For some, enabling safe mode might seem a tad overbearing. Instead, you might want to just disable a few functions. You can set disable_functions equal to a comma-delimited list of function names that you want to disable. Suppose that you want to disable just the fopen() , popen() , and file() functions. Set this directive like so:

disable_functions = fopen,popen,file

disable_classes = string

Scope: PHP_INI_SYSTEM ; Default value: NULL

Given the new functionality offered by PHP’s embrace of the object-oriented paradigm, it likely won’t be too long before you’re using large sets of class libraries. However, there may be certain classes found within these libraries that you’d rather not make available. You can prevent the use of these classes with the disable_classes directive. For example, suppose you want to completely disable the use of two classes, named administrator and janitor :

disable_classes = "administrator, janitor"

display_errors = On | Off

Scope: PHP_INI_ALL ; Default value: On

When developing applications, it’s useful to be immediately notified of any errors that occur during script execution. PHP will accommodate this need by outputting error information to the browser window. However, this information could possibly be used to reveal potentially damaging details about your server configuration or application. Therefore, when the application moves to a production environment, be sure to disable this directive. You can, of course, continue reviewing these error messages by saving them to a log file or using some other logging mechanism. See Chapter 8 for more information about PHP’s logging features.

doc_root = string

Scope: PHP_INI_SYSTEM ; Default value: NULL

This directive can be set to a path that specifies the root directory from which PHP files will be served. If the doc_root directive is set to nothing (empty), it is ignored, and the PHP scripts are executed exactly as the URL specifies.

max_execution_time = integer

Scope: PHP_INI_ALL ; Default value: 30

This directive specifies how many seconds a script can execute before being terminated. This can be useful to prevent users’ scripts from consuming too much CPU time. If max_execution_time is set to 0 , no time limit will be set.

memory_limit = integer

Scope: PHP_INI_ALL ; Default value: 8M

This directive specifies, in megabytes, how much memory a script can use. Note that you cannot specify this value in terms other than megabytes, and that you must always follow the number with an M . This directive is only applicable if --enable-memory-limit is enabled when you configure PHP.

open_basedir = string

Scope: PHP_INI_SYSTEM ; Default value: NULL

PHP’s open_basedir directive can establish a base directory to which all file operations will be restricted, much like Apache’s DocumentRoot directive. This prevents users from entering otherwise restricted areas of the server. For example, suppose all Web material is located within the directory /home/www . To prevent users from viewing and potentially manipulating files such as /etc/passwd via a few simple PHP commands, consider setting open_basedir like so:

open_basedir = "/home/www/"

sql.safe_mode = integer

Scope: PHP_INI_SYSTEM ; Default value: 0

When enabled, sql.safe_mode ignores all information passed to mysql_connect() and mysql_ pconnect() , instead using localhost as the target host. The user under which PHP is running is used as the username (quite likely the Apache daemon user), and no password is used. Note that this directive has nothing to do with the safe mode feature found in versions of PHP earlier than 6.0; their only similarity is the name.

user_dir = string

Scope: PHP_INI_SYSTEM ; Default value: NULL

This directive specifies the name of the directory in a user’s home directory where PHP scripts must be placed in order to be executed. For example, if user_dir is set to scripts and user Johnny wants to execute somescript.php , Johnny must create a directory named scripts in his home directory and place somescript.php in it. This script can then be accessed via the URL http://www.example.com/ ~johnny/scripts/somescript.php . This directive is typically used in conjunction with Apache’s UserDir configuration directive.

>>> More PHP Articles          >>> More By Apress Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates


Dev Shed Tutorial Topics: