TechTutorials - Free Computer Tutorials  







Basic PHP Security 
 


Added: 07/10/2008, Hits: 4,489, Rating: 0, Comments: 0, Votes: 0
Add To Favorites | Comment on this article
Getting hacked is one of the most frustrating things that can happen to a webmaster. The idiotic kids that perform most of these hacks have no guilt for the harm and suffering that they cause the people they attack. Unfortunately, there is no sure-fire way to prevent all attacks, but there are some things you can do to make it tougher for the script kiddies to get a hold of your system. A good place to start is keeping your MySQL and PHP installations up to date. After that there are several settings in your /etc/php.ini file that you will want to consider.

Register Globals:
Setting this to "On" is not insecure in and of itself. Poorly written code, however, can make this a serious security threat. This setting makes variables global which can open the door to injection attacks. As of PHP 4.2.0 this directive is set to Off by default.

register_globals = Off

Safe Mode:
You must consider this setting carefully. Although it can prevent some attacks when set to On, many scripts simply won't run including popular applications like PHPBB.

safe_mode = Off

Disable Functions:
Disabling functions can prevent a hacker from gaining access to your server and/or limit the amount of damage they can do if they do get access. Keep in mind, as with all of these settings that there is a possibility that you may have software that no longer works after configuring these. In those cases, you will either need a programmer to modify the software to work without the functions you have disabled, or avoid disabling a function that causes the software not to work. Below is a sample list of good functions to disable.

disable_functions = "phpinfo,base64_decode,base64_encodem,proc_terminate,exec,
system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,
proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec,pcntl_exec"


File Uploads:
If you have no reason for your visitors to upload files to your server via HTTP such with a photo gallery, then this directive should be turned off.

file_uploads = Off

After making any changes to your php.ini file, make sure you restart Apache for them to take effect.





Comments (0)

Be the first to comment on this article


Related Items








7 Seconds Resources, Inc.




IT Showcase