====== PHP Security ======

  * [[PHP]]
  * [[PHP Suhosin]]
  * [[http://us.php.net/manual/en/configuration.changes.modes.php|Where a configuration setting may be set]]
  * [[http://us.php.net/manual/en/ini.list.php|List of php.ini directives]]
  * [[http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking|PHP Session Hijacking]]

=== PHP Configuration Overrides ===

^ Mode ^ Meaning ^
| PHP_INI_USER | Entry can be set in user scripts (like with ini_set()) |
| PHP_INI_PERDIR | Entry can be set in php.ini, .htaccess or httpd.conf |
| PHP_INI_SYSTEM | Entry can be set in php.ini or httpd.conf |
| PHP_INI_ALL | Entry can be set anywhere |

=== Configuration Settings ===

== open_basedir ==

  * [[http://us.php.net/manual/en/ini.core.php#ini.open-basedir|description]]

Limits all file operations to the defined directory and below.  This directive makes most sense if used in a per-directory or per-virtualhost web server configuration file.

  * Default: Off
  * Recommended: webroot
  * Changeable: PHP_INI_ALL
  * Syntax: "/var/www:/usr/share/php"

Also it is prudent to disable symlink() function

== disable_functions ==

  * [[http://us.php.net/manual/en/ini.core.php#ini.disable-functions|description]]

Disable certain PHP functions from executing.  Will throw a security warning error when they are used in code.

  * Default: None
  * Recommended: filesystem functions, system executable functions, phpinfo, etc.
  * Changeable: php.ini only
  * Syntax: "eval,file_get_contents"

== expose_php ==

  * [[http://us.php.net/manual/en/ini.core.php#ini.expose-php|description]]

Adds a header to the HTTP response detailing the PHP version used.

  * Default: Enabled
  * Recommended: Disabled
  * Changeable: php.ini only

== display_errors ==

  * [[http://us.php.net/manual/en/errorfunc.configuration.php#ini.display-errors|description]]

Includes error output with script execution.

  * Default: Enabled
  * Recommended: Disabled on production servers
  * Changeable: PHP_INI_ALL

== html_errors ==

  * [[http://us.php.net/manual/en/errorfunc.configuration.php#ini.html-errors|description]]

Displays errors with HTML tags

  * Default: Enabled
  * Recommended: Disabled on production servers
  * Changeable: PHP_INI_ALL

== post_max_size ==

  * [[http://us.php.net/manual/en/ini.core.php#ini.post-max-size|description]]

Maximum size of POST data that PHP will accept.

  * Default: 8M
  * Recommended: Low as necessary to avoid denial of service.
  * Changeable: PHP_INI_PERDIR

== enable_dl ==

  * [[http://us.php.net/manual/en/info.configuration.php#ini.enable-dl|description]]

Allows loading external PHP modules

  * Default: Enabled
  * Recommended: Disabled
  * Changeable: PHP_INI_SYSTEM

== file_uploads ==

  * [[http://us.php.net/manual/en/ini.core.php#ini.file-uploads|file_uploads]]

Allows uploading files.

  * Default: Enabled
  * Recommended: Disable if not being used
  * Changeable: PHP_INI_SYSTEM

== upload_max_filesize ==

The max filesize of an uploaded file.

  * [[http://us.php.net/manual/en/ini.core.php#ini.upload-max-filesize|description]]

  * Default: 2M
  * Recommended: As large as needed for production, keep small otherwise to prevent denial of service.
  * Changeable: PHP_INI_PERDIR

== max_file_uploads ==

  * [[http://us.php.net/manual/en/ini.core.php#ini.max-file-uploads|description]]

Maximum number of files that can be uploaded via a single request.

  * Default: 20
  * Recommended: Lower value
  * Changeable: PHP_INI_SYSTEM

== allow_url_fopen ==

  * [[http://us.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen|description]]

Whether to allow the treatment of URLs (like http:// or ftp://) as files.

  * Default: Off
  * Recommended: Off
  * Changeable: PHP_INI_SYSTEM (Appendix says PHP_INI_ALL, which is wrong)

== allow_url_include ==

  * [[http://us.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include|description]]

Whether to allow include/require to open URLs (like http:// or ftp://) as files.

  * Default: Off
  * Recommended: Off
  * Changeable: PHP_INI_ALL

== session.use_only_cookies ==

  * [[http://us.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies|description]]

This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs

  * [[http://www.php.net/manual/en/session.security.php|Sessions and security]]

  * Default: Off
  * Recommended: On for sites that store secure data in session, but requires cookies to be set in browser
  * Changeable: PHP_INI_ALL

== session.cookie_httponly ==

  * [[http://us.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly|description]]

Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.

  * Default: Off
  * Recommended: On for sites unless they use JavaScript to access session data (likely rare)
  * Changeable: PHP_INI_ALL

== session.hash_function ==

  * [[http://us.php.net/manual/en/session.configuration.php#ini.session.hash-function|description]]

Allows you to specify the hash algorithm used to generate the session IDs. '0' means MD5 (128 bits) and '1' means SHA-1 (160 bits).

  * Default: MD5
  * Recommended: SHA1
  * Changeable: PHP_INI_ALL