This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "PHP Configuration Cheat Sheet"
From OWASP
(beautified) |
(new sections TBD) |
||
| Line 13: | Line 13: | ||
==php.ini== | ==php.ini== | ||
| − | Note that some of following settings need to be adapted to your system. Also read the [http://www.php.net/manual/ini.core.php PHP Manual] according dependencies of some settings. | + | Note that some of following settings need to be adapted to your system, in particular ''/path/'' and ''/application/''. Also read the [http://www.php.net/manual/ini.core.php PHP Manual] according dependencies of some settings. |
| + | |||
| + | |||
====PHP error handlling==== | ====PHP error handlling==== | ||
| Line 87: | Line 89: | ||
safe_mode_protected_env_vars = LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH | safe_mode_protected_env_vars = LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH | ||
| − | ====Database Settings==== | + | ====PHP Database Settings==== |
{{TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)}} | {{TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)}} | ||
| − | ====Database User==== | + | ====PHP Database User==== |
{{TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry}} | {{TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry}} | ||
| − | ==== | + | ====PHP Windows specific Settings==== |
| + | {{TBD:}} | ||
| + | |||
| + | ====PHP Extension==== | ||
{{TBD:}} | {{TBD:}} | ||
| Line 104: | Line 109: | ||
[[User:Achim|Achim]] Hoffmann - [mailto:achim_at_owasp.org Achim at owasp.org] | [[User:Achim|Achim]] Hoffmann - [mailto:achim_at_owasp.org Achim at owasp.org] | ||
| − | --[[User:Achim|Achim]], 30 November 2012 | + | --[[User:Achim|Achim]], 30. November 2012 |
= Other Cheatsheets = | = Other Cheatsheets = | ||
Revision as of 13:13, 30 November 2012
- 1 Introduction
- 2 Configuration and Deployment
- 2.1 suhosin
- 2.2 suPHP
- 2.3 php.ini
- 2.3.1 PHP error handlling
- 2.3.2 PHP general settings
- 2.3.3 PHP file upload handling
- 2.3.4 PHP executable handling
- 2.3.5 PHP session handling
- 2.3.6 some more security paranoid checks
- 2.3.7 old, depricated
- 2.3.8 PHP Database Settings
- 2.3.9 PHP Database User
- 2.3.10 PHP Windows specific Settings
- 2.3.11 PHP Extension
- 3 Related Cheat Sheets
- 4 Authors and Primary Editors
- 5 Other Cheatsheets
Introduction
This page intends to provide quick basic PHP security tips for administrators (and developers, if applicable). Keep in mind that tips mentioned in this page are not enough for securing your PHP web application.
Configuration and Deployment
suhosin
Consider using Stefan Esser's [Hardened PHP patch] .
suPHP
php.ini
Note that some of following settings need to be adapted to your system, in particular /path/ and /application/. Also read the PHP Manual according dependencies of some settings.
PHP error handlling
expose_php = Off error_reporting = E_ALL display_errors = Off display_startup_errors = Off log_errors = On error_log = /path/PHP-logs/php_error.log ignore_repeated_errors = Off
PHP general settings
doc_root = /path/DocumentRoot/PHP-scripts/ open_basedir = /path/DocumentRoot/PHP-scripts/ include_path = /path/PHP-pear/ extension_dir = /path/PHP-extensions/ mime_magic.magicfile = /path/PHP-magic.mime allow_url_fopen = Off allow_url_include = Off variables_order = "GPSE" allow_webdav_methods = Off
PHP file upload handling
file_uploads = Off upload_tmp_dir = /path/PHP-uploads/ upload_max_filesize = 1M # NOTE: more or less useless as first handled by the web server max_file_uploads = 2
PHP executable handling
enable_dl = On disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, popen, proc_open disable_functions = fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file disable_functions = chdir, mkdir, rmdir, chmod, rename disable_functions = filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo # see also: http://de3.php.net/features.safe-mode disable_classes =
PHP session handling
session.auto_start = Off session.save_path = /path/PHP-session/ session.name = myPHPSESSID session.hash_function = 1 session.hash_bits_per_character = 6 session.use_trans_sid = 0 session.cookie_domain = full.qualified.domain.name session.cookie_path = /application/path/ session.cookie_lifetime = 0 session.cookie_secure = On session.cookie_httponly = 1 session.use_only_cookies= 1 session.cache_expire = 30 default_socket_timeout = 60
some more security paranoid checks
session.referer_check = /application/path memory_limit = 2M post_max_size = 2M mx_execution_time = 9 report_memleaks = On track_errors = Off html_errors = Off
old, depricated
Use these configurations in older PHP versions if necessary.
register_globals = Off gpc_order = "GP" magic_quotes_gpc = On safe_mode = On safe_mode_include_dir = /path/PHP-include safe_mode_exec_dir = /path/PHP-executable safe_mode_allowed_env_vars = PHP_ safe_mode_protected_env_vars = SHELL, IFS, PATH, HOME, USER, TZ, TMP, TMPDIR, LANG, safe_mode_protected_env_vars = LD_LIBRARY_PATH, LD_PRELOAD, SHLIB_PATH, LIBPATH
PHP Database Settings
Template:TBD: database sesttings should be done in web server's configuration (i.e. httpd.conf)
PHP Database User
Template:TBD: explain pros&cons what to set in php.ini and/or httpd.conf and/or registry
PHP Windows specific Settings
PHP Extension
Related Cheat Sheets
Authors and Primary Editors
Achim Hoffmann - Achim at owasp.org
--Achim, 30. November 2012
Other Cheatsheets
OWASP Cheat Sheets Project Homepage
