Re: server side security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



H. Dan Phillips wrote:
Let me begin by saying I'm a newbie to PHP and open source. I setup a windows 2003 server with IIS6, PHP 5x and MYSQL5x for one of our developers to start building a new web based application. The developer will be using PHP myadmin for his purposes. The settings that were used were ones posted out on many web sites for this combo. I'm looking for detailed instructions to secure the server from the standpoint of the server OS, php.ini and mysql. The developer will be securing access to the application from his end but I want to make sure that the server also remain secure. It will only be used within our intra-net and only by a handful of people. Any and all suggestions will be greatly appreciated.

We can't offer advice on the OS or mysql - find a more specific mailing list for those questions.

For the php.ini, disable allow_url_fopen (or if you're using php 5.2.0, disable allow_url_include at least) and disable register_globals.

Depending on what the application does, I'd look at disabling exec, system and the like (see http://php.net/exec & look for "disable_functions" in the php.ini file).

Turn off enable_dl unless you have a specific need for it.

Only enable the extensions you need to use (ie don't enable oracle support if you aren't going to use it).


Having said that - most of the php security problems relate to the application, rather than the php.ini file.

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux