Tuesday, 10 July 2012

PHP INI settings


open_basedir, disable_classess, disable_functions and safe_mode are the directive used to improve the security while on shared hosting environment.

  • When you are using shared server always set open_basedir to your root directory in php.ini. 
  • This directive allows you to disable certain classes for security reasons. It takes on a comma-delimited list of class names. disable_classes is not affected by Safe Mode. This directive must be set in php.ini 
  • This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_ functions is not affected by Safe Mode. This directive must be set in php.ini. 
  • safe_mode should be off. 
  • display_errors should be off, so that end user can see guess the code, when error come in website 
  • log_errors should be on, so that you can check, if some one try to access your site or any page to whom not authorization. 
  • allow_url_fopen include should be off. allow_url_fopen enables the URL-aware fopen wrappers that enable accessing the files from remote server. allow_url_include allows the use of URL-aware fopen wrappers with the following functions: include, include_once, require, require_once (remote add files)
  • magic quotes (magic_quotes_gpc, magic_quotes_runtime) should be off. It will avoid to add the extra slahes (avoid to call addslashes function). 
  • register_globals must be off. Take for example this URL, http://yoursite.com/index.php?var=1, which includes a query string. The register_globals statement allows us to access the value with $var instead of $_GET['var'] automatically. 
  • system(), passthru() and exec() functions must be disable all of which allow a string to be run as a command on the operating system shell.