PHP Config Files and YOU!

php-sauceWhat is PHP?

First off, I suppose we should start with a (very) brief introduction about what PHP is.  PHP which stands for PHP: Hypertext Preprocessor (yeah, it doesn’t make sense to me either) is a formatting language used to make dynamic web sites.  As it turns out, PHP originally stood for personal home page, but has evolved quite a bit since its inception in 1994.  PHP is now a widely used scripting language used on millions of web pages and web servers.

What is a php.ini file?

One of the most powerful tools available for a PHP user is the php.ini file.  Unfortunately, the power and utility of this file often goes overlooked.  The php.ini file can be used to drastically alter the way that PHP behaves.  Since it would be a real pain to have to adjust PHP every time you needed to make a change, the developers implemented the php.ini file.  PHP searches for this file every time that it fires up and then reads the file and follows the directives defined within.  This file can be used to alter the functionality of PHP and add increased levels of security for your web applications.  Lets take a look at some common uses:

Disabling Functionality

There are some features of PHP that you will probably never want to use.  It may be a good idea to completely disable them from the start in order to prevent possible malicious attacks.  In the event that an attacker was able to upload a script to your site, this is an excellent way to disable that script from the start.  Some top functions to diable are php_uname, getmyuid, getmypid etc.

Restrict File Uploads

Here you can turn off or limit the file upload functionality of your PHP scripts.  If you are not using the file upload functionality in any of your scripts then it is probably a good idea to turn it off completely.  This makes it more difficult for attackers to upload files to your web server.  To disable file uploads you need to change the file_uploads directive to “Off”

Securing Error Messages

Error messages are some of the most common paths to information disclosure.  They often contain information such as installation path, database info, and scripting variables.  This information might be extremely useful to you as it can help you figure out what the problem with your site is, however it is worthless to users and can be used to gain access by an attacker.  You can use php.ini to hide errors when PHP encounters a problem.

Feel free to submit any uses for the php.ini file in the comments section.  I’d love to facilitate a discussion!

1
Oct
Written by Brian
Categories: PHP,web hosting tips
Tags: ,