Differences

This shows you the differences between two versions of the page.

--- php [2007/01/24 22:15]
a +PHP Security Guide
+++ php [2008/03/22 19:37]
greebo
@@ Line 1: / Line 1: @@
 ====== PHP tips ======
 ===== Instalation tips =====
@@ Line 12: / Line 18: @@
 display_errors = Off \\
 allow_url_fopen = Off \\
+session.use_trans_sid = 0 \\
+session.use_only_cookies = 1 \\
 #output_buffering = 4096 \\
@@ Line 18: / Line 27: @@
         php_admin_flag safe_mode On
         php_admin_value open_basedir "/var/www/domain_dir/:/home/"
+        php_admin_value sendmail_from webmaster@example.com
+        php_admin_flag display_errors On
+        php_admin_value safe_mode_include_dir "/usr/share/php/"
+#       php_admin_value default_charset "UTF-8"
+        php_admin_value default_charset "windows-1250"
+FIXME - styling needed
+**PHP to secure a setup, a good start is a secure php.ini, for example:**
+   * disable the Fopen Wrapper, allow_url_fopen = Off
+   * use disable_classes and disable_functions like
+ini_alter, ini_get_all, ini_get, ini_restore, ini_set, php_get_tmpdir, php_ini_scanned_files, php_logo_guid, php_uname, phpcredits, phpinfo, phpversion, putenv, restore_include_path, set_include_path, set_time_limit, version_compare, zend_logo_guid, zend_version, show_source, system, shell_exec, passthru, exec, proc_open, time_limit, version_compare, zend_logo_guid, zend_version, show_source, system, shell_exec, passthru, exec, proc_open etc. etc.
+   * set register_globals = off
+   * set log_errors = on, error_reporting and error_log
+   * use open_basedir and include_path
+   * use safe_mode if possible
 === see also: ===
    * [[http://www.hardened-php.net/|PHP Hardening-Patch]]
    * [[http://phpsec.org/projects/guide/|PHP Security Guide]]
+   * [[http://www.infosecnews.org/pipermail/isn/2007-March/014423.html|[ISN] Secure PHP Configuration]] (local {{014423.html|mirror}})