Ten php.ini directives a new web developer should know November 20, 2011Posted by Tournas Dimitrios in PHP.
One of the most powerful features of PHP is the ability to customize its behavior through a configuration file (php.ini ). This file is normally not editable to people who open an account in a host service . Some settings may be set within a PHP script using ini_set() , whereas others may require php.ini or httpd.conf. You can normally easily see its content with phpinfo() . The structure of the php.ini file is a standard “directive = value” syntax , very much in the style of Windows .ini files . Lines consisting of only white space and lines beginning with a semicolon are ignored . The semicolon is used to add comments to the file . When PHP fires up its engines , one of the first thing it does is to look for the php.ini file so that it can read into memory the directives defined therein .
The following list presents ten php.ini directives that (In My Opinion) are important to know :
- allow_url_fopen : If enabled , allows PHP’s file functions — such as file_get_contents() — to retrieve data from remote locations such as an FTP server or web site , and could lead to code injection vulnerabilities . Typically, these code injection vulnerabilities occur from improper input filtering when passing user-provided data into PHP functions . Disabling this function will help considerably in stopping your site(s) from being compromised , as well as help thwart the unauthorized use of our servers for abusive or malicious purposes . allow_url_fopen is on by default , you can disable it by editing your php.ini file . allow_url_fopen = Off . The setting can also be disabled in apache’s httpd.conf file : php_flag allow_url_fopen off
For remote file access, consider using the cURL functions that PHP provides .
- allow_url_include : This setting is only available since PHP 5.2 ( on older versions it was included into allow_url_fopen ) . By default this function is disabled and prevents remote file access via the include and require statements , but leaves it available for other file functions like fopen() and file_get_contents. include and require are the most common attack points for code injection attempts , so this setting plugs that particular hole without affecting the remote file access capabilities of the standard file functions . If allow_url_fopen is disabled , allow_url_include is also disabled .
- safe_mode : In PHP, safe mode is a security feature that was designed to prevent hackers from being able to use PHP scripts to execute commands at the operating system level (such as Linux shell commands) . It was intended to be a security method for web applications running on shared hosting accounts , as VPS and dedicated servers running single web hosting accounts did not need it . It never functioned well , however, and PHP developers have removed it from the upcoming version 6 release . The primary problem is that some basic functions required by web scripts would simply not work with PHP safe mode enabled. Dedicated server owners who sold shared hosting accounts to customers were forced to either upset the customers , by providing them with locked-down accounts, or find other security tools , such as ModSecurity . To determine if safe mode is actually off run a phpinfo() script .
- open_basedir : This function defines the locations or paths from which PHP is allowed to access files using functions like fopen() and gzopen(). If a file is outside of the paths defined by open_basdir , PHP will refuse to open it . You cannot use a symbolic link as a workaround , because the path that the symbolic link resolves to falls under the restrictions of the open_basedir function . With proper Apache permissions and PHP installed as an Apache module , PHP inherits whatever privileges Apache has . As Apache is usually endowed with very limited permission in the form of a ‘nobody’ or ‘www-data’ group , there’s actually no need for open_basedir .
- disable_functions : This directive of the php.ini file takes a comma-separated list of function names , and will completely disable these . PHP has a variety of commands with access to the operating system of the server, and that can interact with other programs. Unless you need access to these specific commands, it is highly recommended that you disable them entirely. Commonly disabled functions include
system, show_source, exec, shell_exec, proc_open, passthru, set_time_limit, ini_restore, mysql_list_dbs, ini_alter, dl, pfsockopen, openlog, syslog, symlink, link, chgrp, leak, popen, escapeshellcmd, apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, virtual, mb_send_mail
- magic_quotes_gpc : This option was introduced to help protect developers from SQL injection attacks. It effectively executes addslashes() on all information received over GET , POST or COOKIE . Unfortunately this protection isn’t perfect: there are a series of other characters that databases interpret as special not covered by this function . In addition , data not sent direct to databases must un-escaped before it can be used . Because it’s inconsistent and ineffective , it’s not recommended that magic_quotes_gpc be enabled . Its recommended that your php scripts have programming/input filtering done so that your databases and site is protected .
- error_reporting : Set the error reporting level with a parameter . The parameter is either an integer representing a bit field , or named constants . The error_reporting levels and constants are described in PHP’s Predefined Constants manual , and in php.ini. To set at runtime , use the error_reporting() function . In PHP 4 and PHP 5 the default value is E_ALL & ~E_NOTICE. This setting does not show E_NOTICE level errors . You may want to show them during development (for debugging purposes) . In PHP 5 a new error level E_STRICT is available. As E_STRICT is not included within E_ALL you have to explicitly enable this kind of error level. Enabling E_STRICT during development has some benefits. STRICT messages will help you to use the latest and greatest suggested method of coding, for example warn you about using deprecated functions .
- display_errors : This determines whether errors should be printed to the screen as part of the output or if they should be hidden from the user . Value “stderr” sends the errors to stderr instead of stdout. The value is available as of PHP 5.2.4. In earlier versions, this directive was of type boolean . This is a feature to support your development and should never be enabled on production systems . Although display_errors may be set at runtime (with ini_set()), it won’t have any affect if the script has fatal errors. This is because the desired runtime action does not get executed . Read more on php.net . The name of the file where script errors should be logged is defined with the error_log directive This file should be writable by the web server’s user . Read more on php.net .
- log_errors : Tells whether script error messages should be logged to the server’s error log-files . This option is thus server-specific . You’re strongly advised to use error logging in place of error displaying on production web sites .
- register_globals : It should be set to “off” (default value) . Read my article , it explains way its a security risk .
- Directory browsing : Actually this feature is not a PHP-ini directive but an Apache functionality . Apache web servers allow directory browsing by default . It’s always good to disable directory browsing in security aspect . To disable directory browsing in apache web server you need to edit the httpd.conf or .htaccess : Open your .htacces file -> Look for Options Indexes -> If Options Indexes exists modify it to Options -Indexes or else add Options -Indexes as a new line . Alternatively create an empty “index.html” in each directory that doesn’t already have one .
Read more :