no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
— | php_security [2011/11/22 17:22] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== PHP Security ====== | ||
+ | |||
+ | * [[PHP]] | ||
+ | * [[PHP Suhosin]] | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | |||
+ | === PHP Configuration Overrides === | ||
+ | |||
+ | ^ Mode ^ Meaning ^ | ||
+ | | PHP_INI_USER | Entry can be set in user scripts (like with ini_set()) | | ||
+ | | PHP_INI_PERDIR | Entry can be set in php.ini, .htaccess or httpd.conf | | ||
+ | | PHP_INI_SYSTEM | Entry can be set in php.ini or httpd.conf | | ||
+ | | PHP_INI_ALL | Entry can be set anywhere | | ||
+ | |||
+ | === Configuration Settings === | ||
+ | |||
+ | == open_basedir == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Limits all file operations to the defined directory and below. | ||
+ | |||
+ | * Default: Off | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | * Syntax: "/ | ||
+ | |||
+ | Also it is prudent to disable symlink() function | ||
+ | |||
+ | == disable_functions == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Disable certain PHP functions from executing. | ||
+ | |||
+ | * Default: None | ||
+ | * Recommended: | ||
+ | * Changeable: php.ini only | ||
+ | * Syntax: " | ||
+ | |||
+ | == expose_php == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Adds a header to the HTTP response detailing the PHP version used. | ||
+ | |||
+ | * Default: Enabled | ||
+ | * Recommended: | ||
+ | * Changeable: php.ini only | ||
+ | |||
+ | == display_errors == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Includes error output with script execution. | ||
+ | |||
+ | * Default: Enabled | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||
+ | == html_errors == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Displays errors with HTML tags | ||
+ | |||
+ | * Default: Enabled | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||
+ | == post_max_size == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Maximum size of POST data that PHP will accept. | ||
+ | |||
+ | * Default: 8M | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_PERDIR | ||
+ | |||
+ | == enable_dl == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Allows loading external PHP modules | ||
+ | |||
+ | * Default: Enabled | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_SYSTEM | ||
+ | |||
+ | == file_uploads == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Allows uploading files. | ||
+ | |||
+ | * Default: Enabled | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_SYSTEM | ||
+ | |||
+ | == upload_max_filesize == | ||
+ | |||
+ | The max filesize of an uploaded file. | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | * Default: 2M | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_PERDIR | ||
+ | |||
+ | == max_file_uploads == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Maximum number of files that can be uploaded via a single request. | ||
+ | |||
+ | * Default: 20 | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_SYSTEM | ||
+ | |||
+ | == allow_url_fopen == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Whether to allow the treatment of URLs (like http:// or ftp://) as files. | ||
+ | |||
+ | * Default: Off | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_SYSTEM (Appendix says PHP_INI_ALL, | ||
+ | |||
+ | == allow_url_include == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Whether to allow include/ | ||
+ | |||
+ | * Default: Off | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||
+ | == session.use_only_cookies == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | * Default: Off | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||
+ | == session.cookie_httponly == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. | ||
+ | |||
+ | * Default: Off | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||
+ | == session.hash_function == | ||
+ | |||
+ | * [[http:// | ||
+ | |||
+ | Allows you to specify the hash algorithm used to generate the session IDs. ' | ||
+ | |||
+ | * Default: MD5 | ||
+ | * Recommended: | ||
+ | * Changeable: PHP_INI_ALL | ||
+ | |||