Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Secure Install of PHP - What do you do? 1

Status
Not open for further replies.
jet042

jet042

MIS
Dec 23, 2002
258
US
While the manual has a lot of good information on how to set up and install PHP and then secure the application, it doesn't touch much on third-party tools or other non-standard options. So here's the question: How do you do it?

What options do you turn on or off in your php.ini? What extensions do you always build in or always leave out? Do you use third-party tools like Suhosin to strengthen your install?

I guess generally, let's combine all our knowledge and see if we can put together something approaching a "best practices" guide for securely using PHP. Of course, a lot of what you can do to secure it is dependent on your architecture, but there are many things that will work independent of your server OS or web server. Since this is a PHP board, let's try to focus on those.
 
Sort by date Sort by votes
Thanks, jpadie, that site has some really good information. Unfortunately, most of it is about writing secure code, not configuring PHP to be more secure by default. Their PHP Security Guide does mention turning off register_globals in the php.ini and also touches on the fact that even php.ini-recomended has allow_url_fopen turned on, but that's all I've seen so far.

Secure code is important, don't misunderstand me, but it is only a part of the "defense in depth" philosophy that I subscribe to.
 
Upvote 0 Downvote
i think that the security of an indivual installation of php is difficult to pin down. it is very dependent on the environment in which php is installed. are you hosting multiple virtual servers, for multiple people. do you use CGI/SAPI? what kind of webserver are you using? what kind of trade offs are you willing to make between flexibility and security.

The matrix is too deep (imo) for an article or similar. the best advice to any webmaster is to make sure that they read the installation manual and the relative benefits of (Fast) CGI -v- SAPI and that they really understand how their web server works with their environment (e.g. OS and access control etc).

for example, one user here posted that, as a customer of a very well known ISP, was able to use php not only to access all other customer's websites but also to navigate and read the folders and files on other servers within the hosted subnet. this included customer billing and contact data, business plans etc. This flaw was purely and simply because the ISP in question did not read the manual.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

cdlvj
  • Question
PHP Debugging
Replies
1
Views
236
cdlvj
cdlvj
W
  • Question
how to send checked row data in php
Replies
0
Views
72
wiltang2004
W
SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
398
SashaBuilder3
SashaBuilder3
PeDa
  • Locked
  • Question
Unwanted spaces in php HTML mail 1
Replies
4
Views
339
PeDa
PeDa
EdLentz
  • Locked
  • Question
I need a simple example of how to send a table of info .
Replies
8
Views
452
EdLentz
EdLentz

Part and Inventory Search

Sponsor

Back
Top