just found this article and the author recommends the following for secure php
scripting. what do the expects think?
**** - Set register_globals off
This option will stop PHP creating global variables for user input. That is,
if a user submits the form variable 'hello' PHP won't set $hello, only
HTTP_GET/POST_VARS['hello']. This is the mother of all other options and is
best single option for PHP security, it will also kill basically every third
party application available and makes programming PHP a whole lot less
convenient.
*** - Set safe_mode on
I'd love to describe exactly what safe_mode does but it isn't documented
completely. It introduces a large variety of restrictions including:
- The ability to restrict which commands can be executed (by exec() etc)
- The ability to restrict which functions can be used
- Restricts file access based on ownership of script and target file
- Kills file upload completely
This is a great option for ISP environments (for which it is designed) but
it can also greatly improve the security of normal PHP environments given
proper configuration. It can also be a complete pain in the neck.
** - Set open_basedir
This option prevents any file operations on files outside specified
directories. This can effectively kill a variety of local include() and
remote file attacks. Caution is still required in regards to file upload and
session files.
** - Set display_errors off, log_errors on
This prevents PHP error messages being displayed in the returned web page.
This can effectively limit an attackers exploration of the function of the
script they are attacking. It can also make debugging very frustrating.
* - Set allow_url_fopen off
This stops remote files functionality. Very few sites really need this
functionality, I absolutely recommend every site set this option.
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
