H. Dan Phillips wrote:
Let me begin by saying I'm a newbie to PHP and open source. I setup a
windows 2003 server with IIS6, PHP 5x and MYSQL5x for one of our
developers to start building a new web based application. The developer
will be using PHP myadmin for his purposes. The settings that were used
were ones posted out on many web sites for this combo. I'm looking for
detailed instructions to secure the server from the standpoint of the
server OS, php.ini and mysql. The developer will be securing access to
the application from his end but I want to make sure that the server
also remain secure. It will only be used within our intra-net and only
by a handful of people. Any and all suggestions will be greatly
appreciated.
We can't offer advice on the OS or mysql - find a more specific mailing
list for those questions.
For the php.ini, disable allow_url_fopen (or if you're using php 5.2.0,
disable allow_url_include at least) and disable register_globals.
Depending on what the application does, I'd look at disabling exec,
system and the like (see http://php.net/exec & look for
"disable_functions" in the php.ini file).
Turn off enable_dl unless you have a specific need for it.
Only enable the extensions you need to use (ie don't enable oracle
support if you aren't going to use it).
Having said that - most of the php security problems relate to the
application, rather than the php.ini file.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
