PHP, WEB

Securing php configuration for production mode

To follow the tips below you have to locate your php.ini file in your system and keep a backup first.
A common place for php.ini file in linux is: /etc/php5/apache2/

1. Enable safe mode

Locate line: safe_mode = Off and change it to safe_mode = On

By enabling safe_mode, PHP scripts are able to access files only those owned by Apache.

2. Disable register globals

Locate line: register_globals = On and change it to register_globals = Off

When register_globals is turned on all the variables, Environment, GET, POST, Cookie and Server  are automatically registered as global variables.

3. Disable allow_url_fopen

Locate line: allow_url_fopen = On and change it to allow_url_fopen=Off

By turning allow_url_fopen off you prevent URLs from being used in PHP include and in some other places.

4. Do not display errors

locate the following variables and adjust them as shown below:

display_errors = Off
display_startup_errors = Off
log_errors = On
error_reporting = E_ALL
error_log = /path/to/your/logs

5. Restrict what PHP can access for reading/writing

Locate line: open_basedir = and change it to open_basedir = /var/www/htdocs/mysite for ex

6. Limit PHP maximum execution time, memory, maximum upload file size, post etc

max_execution_time = 30  ; Maximum execution time of each script, in seconds
max_input_time = 60      ; Maximum amount of time each script may spend parsing request data
memory_limit = 16M       ; Maximum amount of memory a script may consume
upload_max_filesize = 2M ; Maximum allowed size for uploaded files
post_max_size = 8M       ; Maximum size of POST data that PHP will accept

Change the values to suit your needs.

7. Disable magic quotes
Locate line: magic_quotes_gpc = On and change it to magic_quotes_gpc = Off

and line: magic_quotes_sybase = On and change it to magic_quotes_sybase = Off

and handle the input filtering on your scripts.

8. Change upload_tmp_dir
upload_tmp_dir allows you to specify the temporary directory used  for storing uploaded files. This directory should not be within the document root of the web site and readable or writable by any other system user.

ex. upload_tmp_dir = /var/www/mysite