Important php security settings
PHP is a server side scripting language. You can embed PHP code in your web pages along with HTML. When your server receives a request for a page, it first gives the page to the PHP handler program. The PHP handler outputs HTML code as-is, but when it encounters cpanel PHP knowledgebase commands, it executes them. Any HTML generated by the PHP commands is also output. The end result is a web page with content that has been customized on the server before being sent to whoever requested it.
there are two files where PHP configuration commands can go: php.ini or Apache .htaccess ( please refer what php running on your server)
How to view your PHP settings.
Create a text file with a .php extension, containing just this line.
<?php phpinfo(); ?>
Then browse that file to check php info page.
The following functions used to prevent hacking attempt and malware injection,etc., on your php application.
This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in php.ini
disable_functions = exec, passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
Please refer with other unwanted php functions and disable it.
What is Safe Mode?
safe mode is a security feature that was designed to prevent hackers from being able to use PHP scripts to execute commands at the operating system level (such as Linux shell commands).
To disable PHP safe mode on a server, edit the /usr/local/lib/php.ini file and modify the following line:
safe_mode = Off
The open_basedir function defines the locations or paths from which PHP is allowed to access files using functions like fopen() and gzopen(). If a file is outside of the paths defined by open_basdir, PHP will refuse to open it. You cannot use a symbolic link as a workaround, because the path that the symbolic link resolves to falls under the restrictions of the open_basedir function.
To prevent accounts from accessing foreign files using PHP:
WHM >> Security Center >> PHP open_basedir Tweak
Click the Enable php open_basedir Protection checkbox at the top of the list.
Select domains you wish to exclude, disabling protection for their files.
How does it work?
PHP admin directives for open_basedir are added to each Virtual Host in httpd.conf. These directives limit users’ access via PHP to only the following directories:
register_globals is an internal PHP setting which registers the $REQUEST array’s elements as variables. If you submit a value in a form, via POST or GET, the value of that input will automatically be accessible via variable in the PHP script, named after the name of the input field.
In other words, if you submitted a form containing a username text field, the expression ($username === $_POST['username']) at the very beginning of the script would return true.
If it enabled, any query string at the end of the URL http://yourdomainsomething.php?valid=true will affect the value of a variable $valid (for example) in something.php, if it exists.
If you’re using publically available PHP code (a library for example) the names of variables are well known, and it would be possible for hackers to control their values by assigning values in the query string. They may be able to bypass authentication.
For security reasons, it is recommended to disable register_globals
put in the one line of code on your php.ini
register_globals = off
allow_url_fopen is especially important. It prevents URLs (internet addresses) from being used in PHP include() statements and in some other places. A command such as include(“http://website.com/page.php“) will not be allowed to execute. Only files that reside within your website can be included, and you must refer to them by their filepath names, not by their internet URLs.
You can include a file from your own site simply by specifying its path and filename. Here is an example how to convert a URL include to one that does not use a URL:
Assume your current code looks like this:
You would convert it to this:
include($_SERVER['DOCUMENT_ROOT'] . ‘/page.php’);
Turn off this settings.
allow_url_fopen = Off
Magic Quotes, generally speaking, is the process of escaping special characters with a ‘\’ to allow a string to be entered into a database. This is considered ‘magic’ because PHP can do this automatically for you if you have magic_quotes_gpc turned on.
More specifically if magic_quotes_gpc is turned on for the copy of PHP you are using all Get, Post & Cookie variables (gpc, get it?) in PHP will already have special characters like “, ‘ and \ escaped so it is safe to put them directly into an SQL query.
magic_quotes_gpc = Off