no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


php_security [2011/11/22 17:22] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== PHP Security ======
 +
 +  * [[PHP]]
 +  * [[PHP Suhosin]]
 +  * [[http://us.php.net/manual/en/configuration.changes.modes.php|Where a configuration setting may be set]]
 +  * [[http://us.php.net/manual/en/ini.list.php|List of php.ini directives]]
 +  * [[http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking|PHP Session Hijacking]]
 +
 +=== PHP Configuration Overrides ===
 +
 +^ Mode ^ Meaning ^
 +| PHP_INI_USER | Entry can be set in user scripts (like with ini_set()) |
 +| PHP_INI_PERDIR | Entry can be set in php.ini, .htaccess or httpd.conf |
 +| PHP_INI_SYSTEM | Entry can be set in php.ini or httpd.conf |
 +| PHP_INI_ALL | Entry can be set anywhere |
 +
 +=== Configuration Settings ===
 +
 +== open_basedir ==
 +
 +  * [[http://us.php.net/manual/en/ini.core.php#ini.open-basedir|description]]
 +
 +Limits all file operations to the defined directory and below.  This directive makes most sense if used in a per-directory or per-virtualhost web server configuration file.
 +
 +  * Default: Off
 +  * Recommended: webroot
 +  * Changeable: PHP_INI_ALL
 +  * Syntax: "/var/www:/usr/share/php"
 +
 +Also it is prudent to disable symlink() function
 +
 +== disable_functions ==
 +
 +  * [[http://us.php.net/manual/en/ini.core.php#ini.disable-functions|description]]
 +
 +Disable certain PHP functions from executing.  Will throw a security warning error when they are used in code.
 +
 +  * Default: None
 +  * Recommended: filesystem functions, system executable functions, phpinfo, etc.
 +  * Changeable: php.ini only
 +  * Syntax: "eval,file_get_contents"
 +
 +== expose_php ==
 +
 +  * [[http://us.php.net/manual/en/ini.core.php#ini.expose-php|description]]
 +
 +Adds a header to the HTTP response detailing the PHP version used.
 +
 +  * Default: Enabled
 +  * Recommended: Disabled
 +  * Changeable: php.ini only
 +
 +== display_errors ==
 +
 +  * [[http://us.php.net/manual/en/errorfunc.configuration.php#ini.display-errors|description]]
 +
 +Includes error output with script execution.
 +
 +  * Default: Enabled
 +  * Recommended: Disabled on production servers
 +  * Changeable: PHP_INI_ALL
 +
 +== html_errors ==
 +
 +  * [[http://us.php.net/manual/en/errorfunc.configuration.php#ini.html-errors|description]]
 +
 +Displays errors with HTML tags
 +
 +  * Default: Enabled
 +  * Recommended: Disabled on production servers
 +  * Changeable: PHP_INI_ALL
 +
 +== post_max_size ==
 +
 +  * [[http://us.php.net/manual/en/ini.core.php#ini.post-max-size|description]]
 +
 +Maximum size of POST data that PHP will accept.
 +
 +  * Default: 8M
 +  * Recommended: Low as necessary to avoid denial of service.
 +  * Changeable: PHP_INI_PERDIR
 +
 +== enable_dl ==
 +
 +  * [[http://us.php.net/manual/en/info.configuration.php#ini.enable-dl|description]]
 +
 +Allows loading external PHP modules
 +
 +  * Default: Enabled
 +  * Recommended: Disabled
 +  * Changeable: PHP_INI_SYSTEM
 +
 +== file_uploads ==
 +
 +  * [[http://us.php.net/manual/en/ini.core.php#ini.file-uploads|file_uploads]]
 +
 +Allows uploading files.
 +
 +  * Default: Enabled
 +  * Recommended: Disable if not being used
 +  * Changeable: PHP_INI_SYSTEM
 +
 +== upload_max_filesize ==
 +
 +The max filesize of an uploaded file.
 +
 +  * [[http://us.php.net/manual/en/ini.core.php#ini.upload-max-filesize|description]]
 +
 +  * Default: 2M
 +  * Recommended: As large as needed for production, keep small otherwise to prevent denial of service.
 +  * Changeable: PHP_INI_PERDIR
 +
 +== max_file_uploads ==
 +
 +  * [[http://us.php.net/manual/en/ini.core.php#ini.max-file-uploads|description]]
 +
 +Maximum number of files that can be uploaded via a single request.
 +
 +  * Default: 20
 +  * Recommended: Lower value
 +  * Changeable: PHP_INI_SYSTEM
 +
 +== allow_url_fopen ==
 +
 +  * [[http://us.php.net/manual/en/filesystem.configuration.php#ini.allow-url-fopen|description]]
 +
 +Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 +
 +  * Default: Off
 +  * Recommended: Off
 +  * Changeable: PHP_INI_SYSTEM (Appendix says PHP_INI_ALL, which is wrong)
 +
 +== allow_url_include ==
 +
 +  * [[http://us.php.net/manual/en/filesystem.configuration.php#ini.allow-url-include|description]]
 +
 +Whether to allow include/require to open URLs (like http:// or ftp://) as files.
 +
 +  * Default: Off
 +  * Recommended: Off
 +  * Changeable: PHP_INI_ALL
 +
 +== session.use_only_cookies ==
 +
 +  * [[http://us.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies|description]]
 +
 +This option enables administrators to make their users invulnerable to attacks which involve passing session ids in URLs
 +
 +  * [[http://www.php.net/manual/en/session.security.php|Sessions and security]]
 +
 +  * Default: Off
 +  * Recommended: On for sites that store secure data in session, but requires cookies to be set in browser
 +  * Changeable: PHP_INI_ALL
 +
 +== session.cookie_httponly ==
 +
 +  * [[http://us.php.net/manual/en/session.configuration.php#ini.session.cookie-httponly|description]]
 +
 +Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript.
 +
 +  * Default: Off
 +  * Recommended: On for sites unless they use JavaScript to access session data (likely rare)
 +  * Changeable: PHP_INI_ALL
 +
 +== session.hash_function ==
 +
 +  * [[http://us.php.net/manual/en/session.configuration.php#ini.session.hash-function|description]]
 +
 +Allows you to specify the hash algorithm used to generate the session IDs. '0' means MD5 (128 bits) and '1' means SHA-1 (160 bits).
 +
 +  * Default: MD5
 +  * Recommended: SHA1
 +  * Changeable: PHP_INI_ALL
 +
  

Navigation
QR Code
QR Code php_security (generated for current page)