Developer Oracles » php search engine script http://devoracles.com Sun, 21 Mar 2010 11:05:37 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Additional tweaks to tighten php http://devoracles.com/additional-tweaks-to-tighten-php/12 http://devoracles.com/additional-tweaks-to-tighten-php/12#comments Sun, 13 Jul 2008 09:21:37 +0000 Gary Illyes http://devoracles.com/?p=12 Believe me or not, the resource limiting of PHP can also be an enormous security factor.
Take this scenario: Mr. John Hacker managed somehow to upload to your server a script, let’s say an IRC bot which eats up computing power and RAM. Your server became inaccessible due to the running script, who your regular users blame? You, of course, who else?
Php has some very neat settings you can tweak in order to limit its memory usage, to expose what version of php you are using or not, and others.
Let’s start from the beginning:
asp_tags and short_open_tags, whether to allow the use of asp-like tags like “<%” and short open tags like “<?” instead of “<?php”. I usually set these to off, for one reason: I usually know I set them to off thus I’m not trying to use them in the scripts, but others don’t know. If they manage to upload a script containing these tags it will be much likely useless for them as PHP won’t do anything with them.
expose_php if set to on, will append to the server signature the PHP version you are using. If you didn’t upgrade yet to the latest php, you should set it to off, else it’s up to you what you do. I like to set it off, let’s not allow others what version the server runs.
memory_limit, this is a nice one and you should tweak it to extreme. You can set how much memory would you like to allocate for PHP. If your scripts are not memory eaters, this should be a low value, if they are, a higher value. You can also disable the directive by setting a value of -1, but be aware that with -1, PHP can use as much memory as it wants. I learned that the golden middle is 32, try first that value and if everything is running well, leave at that value.
register_globals, the black sheep :| . Whether to register the $_ENV, $_GET, $_POST, $_SERVER and $_COOKIE variables as global variables. This is covered in too much articles already, i won’t explain why to set it OFF. If you rely on it, stop doing so, learn how to not rely on it or give up coding, period.
file_uploads and upload_max_filesize, whether to allow or not file uploads, and if you allow, what’s the maximum filesize you would like to accept via the HTTP request. The file upload is pretty useless to have it enabled if you don’t use file upload scripts, so if you are not using disable it. Why let Mr. John Hacker to put file-upload scripts on your server?

And these were all the settings I wanted to cover in this post. Consider using them, think carefully before allowing something and before setting something, always.
Here are the settings I recommend:

asp_tags = Off
short_open_tags = Off
expose_php = Off
memory_limit = 32M
register_globals = Off
file_uploads = Off
upload_max_filesize = 2M

Again, much likely others would do it in another way, that’s my way, feel free to use it or not :)

]]> http://devoracles.com/additional-tweaks-to-tighten-php/12/feed 0