Secure PHP
Some security tips, that helps to avoid common mistakes and protect the server from the most frequent attacks.
Configuration file
When using PHP in a production environment, you should have the following settings in php.ini:
safe_mode = Off
register_globals = Off
expose_php = Off
allow_url_fopen = Off
allow_url_include = Off
log_errors = On
display_errors = Off
error_log = /var/log/phperror.log
memory_limit = 32M
post_max_size = 12M
upload_max_filesize = 8M
max_execution_time = 120
max_input_time = 60
enable_dl = Off
disable_functions="popen,exec,system,passthru,proc_open,shell_exec,show_source,phpinfo,eval"
session.use_only_cookies = 1
Error log
All PHP errors will be stored in file /var/log/phperror.log. The following lines creates it and set the permissions:
touch /var/log/phperror.log
chmod 666 /var/log/phperror.log
Description of directives
Below is a description of directives used to secure PHP:
safe_mode
It is primarily intended to provide file access limits to prevent users from accessing files that do no belong to them. This setting will be depreciated and should be avoided.
register_globals
Disables automatic variable creation. This means that all PHP script must use the $_REQUEST, $_GET, or $_POST arrays to retrieve user-provided data. This directive is responsible for many security issues in web applications because it allowed attackers to freely manipulate global variables.
expose_php
Hide PHP Version in Apache from remote users requests. Obviously there is no reason to let end users know about the server's PHP version.
allow_url_fopen
This directive allows to reference remote resources as if they are local files. It is recommended to leave it disabled unless your application requires it.
allow_url_include
This directive allows to include/require remote resources as if they are local files. As above directive, it is recommended to leave it disabled.
log_errors
When enabled, log_errors instructs PHP to log all errors to the file indicated by the error_log directive.
display_errors
PHP error messages display should be disabled on production servers to avoid information leaks about your system environment from badly written scripts.
error_log
All PHP errors will be stored in file /var/log/phperror.log. The two above lines in Error log section creates that file
memory_limit
To prevent poorly written scripts from consuming all of the available memory, this directive can be used to indicate a maximum amount of memory consumed by a script.
post_max_size
Controls the size of HTTP form submissions. You may tweak the values to suit your needs.
upload_max_filesize
Maximum allowed size for uploaded files
max_execution_time
Maximum execution time of each script. You may tweak the values to suit your need.
max_input_time
Maximum amount of time each script may spend parsing request data.
enable_dl
This directive is used to enable or disable the dl() function that allows runtime loading of PHP extensions. It makes possible to bypass some restrictions, so it is recommended to be disabled unless your application requires it.
disable_functions
Directive allows to disable several security-sensitive functions. Previously, this necessitated hand-editing the C code from which PHP was made. For functions reference you can use this list
session.use_only_cookies
Reduce the risk of session fixation by only allowing session IDs to be passed as cookies. In other words enabling this setting prevents attacks involved passing session ids in URLs.