PHP Security Checklist
PHP is a widely used scripting language primarily for web applications, although it has been known to be used to implement operating systems. The default configuration of PHP in most of its distributions is fairly secure, but there are some configuration options that can be checked in order to ensure the optimal security settings. In addition, it's worth checking your code as well. We'll give some helpful pointers that you can look at in your code, as well, to try and stop security problems before they happen.
php.ini configuration
These are some of the most important directives in the PHP configuration that you need to make sure you have the correct settings for. This list is only a summary and there are many hundreds of settings with which slight
-
register_globals - make sure this setting is off. Having this on may result in variables in scripts being overwritten arbitrarily by a user simply having them in a GET request, for instance, if you have a variable of $i within your script, a user can request randomfile.php?i=15 and it will be overwritten.
-
display_errors - while this doesn't directly enable malicious access to your scripts, if you have error messages on display it can lead to file paths and line numbers being displayed where errors occurred on runtime. By hiding this data, you reduce the amount of information that is exposed out of your script - but you can still find these errors by checking, typically, in your HTTP error log.
-
open_basedir - this directive restricts PHP to only working in the declared directories. This mainly prevents file inclusion exploits, where a malicious user may be able to open any file on your filesystem (such as /etc/shadow) and print it out to their browser window.
-
disable_functions - possibly one of the most important directives to use, this allows any PHP library function to be disabled as needs of the user suit. This stops any functions declared under the directive being used under PHP within the environment that the .ini file is used for - this can prevent any PHP files on the filesystem (whether they are actually malicious or badly coded) from executing functions that may cause irreparable damage to the system.
Securing your code
You can take many strategies in order to try and secure your inputs using PHP - these are some of the most common ones that you can use within your code in order to try and prevent any strategies that may be used to get erroneous results (and ultimately, for hacking).
-
Input sanitisation - ensuring that your inputs are actually of the appropriate type, by using library functions such as intval() or floatval(), while a small step will help to ensure that any operations you perform on variables will work as expected.
-
Use of fopen(), etc. - using fopen() can introduce substantial security risks, particularly when trying to fetch the contents of remote resources. There is the potential of an intelligently put together file which could cause an internal buffer overflow within PHP which could be used to exploit your code. In other words, always use fopen() when you know that the file you are opening is a trusted source.