Secure PHP with Configuration Settings

By Tali Smith

November 15, 2009

Introduction

PHP code can be embedded in your Web pages along with HTML code. When your Web server receives a request for a page, the page is first given to the PHP handler. The PHP handler outputs HTML code without modification and executes any PHP commands. Any HTML code generated by the PHP commands is also output. This results in a Web page with content that has been customized on the server before being sent to the requestor.

The capabilities of PHP also make it a potential security risk because data is actively fetched, received, and processed from anywhere on the Internet. Attackers may attempt to send in malicious data and scripts and trick your server into fetching malicious scripts and running them. Attackers may also attempt to read and write files on your server to take control of the Web site and use it for their own purposes.

You can configure PHP settings to tighten the security of a PHP installation and help protect the Web site from malicious attacks. The Php.ini file specifies the configuration settings PHP uses when it is running on your Web site. The Php.ini file determines what things PHP scripts are allowed to do and what the scripts are prohibited from doing. Table 1 summarizes settings that affect security. More detailed explanations of the setting follow.

Setting

Description

allow_url_fopen=Off
allow_url_include=Off

Disable remote URLs (which may cause code injection vulnerabilities) for file handling functions.

register_globals=Off

Disable register_globals.

open_basedir="c:\inetpub\"

Restrict where PHP processes can read and write on a file system.

safe_mode=Off
safe_mode_gid=Off

Disable safe mode.

max_execution_time=30
max_input_time=60

Limit script execution time.

memory_limit=16M
upload_max_filesize=2M
post_max_size=8M
max_input_nesting_levels=64

Limit memory usage and file sizes.

display_errors=Off
log_errors=On
error_log="C:\path\of\your\choice"

Configure error messages and logging.

fastcgi.logging=0

Internet Information Services (IIS) FastCGI module will fail the request when PHP sends any data on stderr by using FastCGI protocol. Disabling FastCGI logging will prevent PHP from sending error information over stderr, and generating 500 response codes for the client.

expose_php=Off

Hide presence of PHP.

Table 1: Recommended Php.ini settings

allow_url_fopen = Off

This setting is very important because it prevents URLs from being used in statements such as include(). Setting allow_url_fopen to “Off” means that only files that reside within your Web site can be included; you cannot include a file from a different server, but neither can other people through Remote File Inclusion (RFI) attacks. (In an RFI attack, someone embeds a URL in an HTTP request hoping that your script is tricked into running theirs.) A command such as include("http://website.com/page.php"), for example, is not allowed to execute.

Include a file from your own site by specifying its path and filename. For example, if you have a URL include line, convert it to:

include($_SERVER['DOCUMENT_ROOT'] . '/page.php');

$_SERVER['DOCUMENT_ROOT'] is a superglobal variable set to be the root folder of your site. (Note that there is no trailing “/”; you must provide a leading “/” in '/page.php'. )

If you want to include static content from another one of your Web sites, such as include('http://myothersite.com/includes/footer.php'), make a copy of that content in the current site and then include it locally.

Note that if you must include content from a remote site using URLs and need to set allow_url_fopen = On, look for alternative ways to gain some protection from RFI attacks.

DISPLAY_ERRORS =Off
display_startup_errors = Off
log_errors = On
error_reporting = E_ALL

These settings specify that all errors and warnings get logged to your error log text file and specify that none of the errors or warnings get displayed on any Web page that is sent out from your server. Errors should not be displayed publicly because they can help someone figure out how to attack your server. Always check your error log when you are testing new code.

error_log = /home/yourUserID/public_html/phperr.txt

This defines the path and fie to which your PHP errors and warnings are logged. You should use a text file for error logging, but note that the text file will accumulate errors indefinitely until you empty it. Keep the error log file in an area of your Web site that is not publicly accessible.

expose_php = Off

With this setting, the headers that accompany outgoing pages do not reveal that PHP is running or its version.

register_globals = Off

For example, for the URL http://site.com/index.php?variable=value, the variable passes into your script with its value set to value when register_globals is “On.” When register_globals is “Off,” however, variables do not automatically pass into your script’s variable list. This makes it much more difficult for an attacker to inject code into your script.

safe_mode = Off

This setting is not in the “recommended Php.ini” file. It restricts the permissions with which PHP scripts run. Some third-party scripts do not run properly when safe_mode is set to “On.” Note that beginning with PHP 6 safe_mode does not exist.

View the PHP Settings

You can get a complete report of all your PHP settings.

1. Create a text file with a .php extension:

<?php phpinfo(); ?>

2. Upload it to your server into (preferably) a password-protected folder.

3. Open your Web browser, and type the path into the address bar:

http://yoursite.com/whatever/filename.php

4. Enter your user name and password to access the protected folder and view the result page.

5. Save or print the result page to your local computer for reference.

6. Delete the .php file from your server.

Links for Further Information

How to change configuration settings.

Using FastCGI to Host PHP Applications on IIS 7.0 and Above.



Discuss in IIS Forums