Secure php settings

Discussion in 'Suggest HOWTO' started by sysconfig, Nov 4, 2006.

  1. sysconfig

    sysconfig New Member

    Securing PHP

    PHP is one of the most popular applications that run on Linux and Windows servers today. It's also one of the main sources for servers and user accounts getting compromised. Hence, here is the steps to securing php and securing php.ini

    First off you want to figure out how you can edit php.ini This is the main configuration file for PHP. You can find it by logging into shell and typing in the following:

    Turn on safe_mode

    Safe mode is an easy way to lock down the security and functions you can use. explains php safe_mode as, "The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now."

    I highly recommend you enable safe_mode on production servers, especially in shared environments. This will stop exec functions and others that can easily prevent a security breach.

    Disable Dangerous PHP Functions

    PHP has a lot of potential to mess up your server and hack user accounts and even get root. I've seen many times where users use an insecure PHP script as an entry point to a server to start unleashing dangerous commands and taking control.

    Search the php.ini file for:
    disable_functions =

    Add the following:

    disable_functions = dl,system,exec,passthru,shell_exec

    Turn off Register Globals

    Register_globals will inject your scripts with all sorts of variables, like request variables from HTML forms. This coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier.
    Run PHP through PHPsuexec Preventing Nobody Access

Share This Page