Other Security-Related Configuration Parameters - PHPLong before a website goes live, you need to take its online security into consideration -- to be ready for the attackers even before they might gain access. This three-part article series will warn you of what to watch out for, particularly when configuring PHP, and help you to secure your website. It is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).
print this article SEARCH DEV SHED |
This section introduces several other configuration parameters that play an important role in better securing your PHP installation. disable_functions = string Scope: PHP_INI_SYSTEM ; Default value: NULL For some, enabling safe mode might seem a tad overbearing. Instead, you might want to just disable a few functions. You can set disable_functions equal to a comma-delimited list of function names that you want to disable. Suppose that you want to disable just the fopen() , popen() , and file() functions. Set this directive like so: disable_functions = fopen,popen,file disable_classes = string Scope: PHP_INI_SYSTEM ; Default value: NULL Given the new functionality offered by PHP’s embrace of the object-oriented paradigm, it likely won’t be too long before you’re using large sets of class libraries. However, there may be certain classes found within these libraries that you’d rather not make available. You can prevent the use of these classes with the disable_classes directive. For example, suppose you want to completely disable the use of two classes, named administrator and janitor : disable_classes = "administrator, janitor" display_errors = On | Off Scope: PHP_INI_ALL ; Default value: On When developing applications, it’s useful to be immediately notified of any errors that occur during script execution. PHP will accommodate this need by outputting error information to the browser window. However, this information could possibly be used to reveal potentially damaging details about your server configuration or application. Therefore, when the application moves to a production environment, be sure to disable this directive. You can, of course, continue reviewing these error messages by saving them to a log file or using some other logging mechanism. See Chapter 8 for more information about PHP’s logging features. doc_root = string Scope: PHP_INI_SYSTEM ; Default value: NULL This directive can be set to a path that specifies the root directory from which PHP files will be served. If the doc_root directive is set to nothing (empty), it is ignored, and the PHP scripts are executed exactly as the URL specifies. max_execution_time = integer Scope: PHP_INI_ALL ; Default value: 30 This directive specifies how many seconds a script can execute before being terminated. This can be useful to prevent users’ scripts from consuming too much CPU time. If max_execution_time is set to 0 , no time limit will be set. memory_limit = integer Scope: PHP_INI_ALL ; Default value: 8M This directive specifies, in megabytes, how much memory a script can use. Note that you cannot specify this value in terms other than megabytes, and that you must always follow the number with an M . This directive is only applicable if --enable-memory-limit is enabled when you configure PHP. open_basedir = string Scope: PHP_INI_SYSTEM ; Default value: NULL PHP’s open_basedir directive can establish a base directory to which all file operations will be restricted, much like Apache’s DocumentRoot directive. This prevents users from entering otherwise restricted areas of the server. For example, suppose all Web material is located within the directory /home/www . To prevent users from viewing and potentially manipulating files such as /etc/passwd via a few simple PHP commands, consider setting open_basedir like so: open_basedir = "/home/www/" sql.safe_mode = integer Scope: PHP_INI_SYSTEM ; Default value: 0 When enabled, sql.safe_mode ignores all information passed to mysql_connect() and mysql_ pconnect() , instead using localhost as the target host. The user under which PHP is running is used as the username (quite likely the Apache daemon user), and no password is used. Note that this directive has nothing to do with the safe mode feature found in versions of PHP earlier than 6.0; their only similarity is the name. user_dir = string Scope: PHP_INI_SYSTEM ; Default value: NULL This directive specifies the name of the directory in a user’s home directory where PHP scripts must be placed in order to be executed. For example, if user_dir is set to scripts and user Johnny wants to execute somescript.php , Johnny must create a directory named scripts in his home directory and place somescript.php in it. This script can then be accessed via the URL http://www.example.com/ ~johnny/scripts/somescript.php . This directive is typically used in conjunction with Apache’s UserDir configuration directive.
blog comments powered by Disqus |
|
|
|
|
|
|
|
