The most basic thing you can do to secure PHP on the server is to be sure the options in the php.ini file are set optimally. If you are working in a shared hosting environment, you may not have the ability to change the settings in php.ini, but by knowing which settings have an effect on overall server security, you will be able to choose a Web host that has taken the time to secure PHP.
There are dozens of parameters in php.ini, but only a few of them are important from a security standpoint. Many of these parameters aren’t set securely by default, so anytime you have a new PHP installation (or are working in a new environment that you haven’t already secured), take a few minutes to check the settings in php.ini against the following list and change the settings as needed.
- safe_mode = On
Safe_mode is a good thing to turn on unless you have a compelling reason not to use it.
- safe_mode_gid = Off
Combined with safe_mode = On, turning off safe_mode_gid requires that a file be owned by the same user and group ID in order to be accessed by a PHP application.
- open_basedir =
This allows you to set the top-level directory that PHP applications can access. For example, if you set open_basedir = /home/my_application/, an attacker would not be able to traverse the filesystem to /home/some_other_user/.
- safe_mode_exec_dir =
Combined with safe_mode = On, functions that execute system programs such as exec() and system() would not have access to them unless they are placed in the specified directory. This means that only system functions you specifically place in the specified directory would be available to your application, preventing a hacker from executing anything else.
- expose_php = Off
This prevents PHP from including information about itself (such as the version of PHP running on the server) in HTTP headers. This information is very helpful to hackers because it narrows down which vulnerabilities they may be able to exploit. If hackers discover that you are running PHP 4, they will know that there is a good likelihood that they will be able to exploit typical PHP 4 vulnerabilities.
- register_globals = Off
Unless register_globals is turned off, any parameter sent to a PHP script is automatically converted to a global variable. This allows a hacker to create new variables within your application. register_globals is turned off by default in every version of PHP starting with 4.2.0, but it doesn’t hurt to check the setting just to be sure it hasn’t been turned on at some point.
session.cookie_lifetime specifies how long a session cookie remains viable before it times out. The default value is 0 or no time-out. It’s a good idea to set this value to something that makes sense for your application. For instance, if you’re writing an online banking application, you may want to set it for only a few minutes. For our guestbook, a couple of hours is probably sufficient. This allows the user to walk away and come back, but will prevent some session hijacking attempts.
- display_errors = Off
display_errors is a very useful debugging tool, because it displays detailed error messages anytime a PHP application encounters a problem. Like most debugging tools, it should be turned off in a production environment—unless, of course, you want to share path names, SQL statements, and other sensitive information with the world.
These are the most important parameters to look at when securing PHP. If you’re setting up PHP for the first time, you’ll want to familiarize yourself with the entire php.ini file, and be sure you understand what each parameter does before you change the default setting. However, at least where security is concerned, the default values aren’t always the best setting. If you do nothing else with php.ini, at least make sure the parameters listed here are set correctly.