Secure your PHP.INI file!

**NoBrain** · 01-10-11

Securing your PHP.INI file!

1) display_errors
Disable the display_errors is the first thing. If it is ‘ On ‘ the errors on execution will be displayed to the user’s browser window. So the user can get an idea about the table structure and directory structure. You can avoid this by disabling display_errors in php.ini
Usage : display_errors=OFF

2) safe_mode
safe_mode is more relevent in a shared server environment. If safe_mode is enabled it will check a UID/GID comparison check on the file/directory to be accessed and compare it to the uid/gid of the script that is trying to access the file. If that are same it will allow the file access if not it will block the access. If you want to compare only GID then you can enable ” safe_mode_gid” value in php.ini .

3) sql.safe_mode
Make sql.safe_mode as Off. If it is on mysqli_connect() and mysql_connect() will connect to mysql with default username and password.

4) magic_quotes_gpc
Enable magic_quotes_gpc so that you can make your user inputs secure. It work s same as addslashes() function. It will add a backslash () with every single quotes, double quotes.

5) safe_mode_allowed_env_vars and safe_mode_allowed_env_vars
These two variables will protect environment variables from changing using user php scripts. The field safe_mode_allowed_env_vars contains a list of prefixes that identify the names of the environment variables the user is allowed to change. So that environment variables which are not starting with one of them defined in safe_mode_allowed_env_vars cannot be modified.
Another configuration safe_mode_protected_env_vars will set the names of environment variables that the user is not allowed to modify even if it is present in safe_mode_allowed_env_vars.

6) disable_functions
This will allow you to disable the insecure functions such as shell_exec, system,exec.

This information was taken from: Secure Your PHP Scripts

**MentaL**

**Predict** · 01-10-11

Originally Posted by Jupos

Securing your PHP.INI file!

1) display_errors
Disable the display_errors is the first thing. If it is ‘ On ‘ the errors on execution will be displayed to the user’s browser window. So the user can get an idea about the table structure and directory structure. You can avoid this by disabling display_errors in php.ini
Usage : display_errors=OFF

2) safe_mode
safe_mode is more relevent in a shared server environment. If safe_mode is enabled it will check a UID/GID comparison check on the file/directory to be accessed and compare it to the uid/gid of the script that is trying to access the file. If that are same it will allow the file access if not it will block the access. If you want to compare only GID then you can enable ” safe_mode_gid” value in php.ini .

3) sql.safe_mode
Make sql.safe_mode as Off. If it is on mysqli_connect() and mysql_connect() will connect to mysql with default username and password.

4) magic_quotes_gpc
Enable magic_quotes_gpc so that you can make your user inputs secure. It work s same as addslashes() function. It will add a backslash () with every single quotes, double quotes.

5) safe_mode_allowed_env_vars and safe_mode_allowed_env_vars
These two variables will protect environment variables from changing using user php scripts. The field safe_mode_allowed_env_vars contains a list of prefixes that identify the names of the environment variables the user is allowed to change. So that environment variables which are not starting with one of them defined in safe_mode_allowed_env_vars cannot be modified.
Another configuration safe_mode_protected_env_vars will set the names of environment variables that the user is not allowed to modify even if it is present in safe_mode_allowed_env_vars.

6) disable_functions
This will allow you to disable the insecure functions such as shell_exec, system,exec.

This information was taken from: Secure Your PHP Scripts

Somebody has been reading my posts.
P.S: This is related to Xampp.

**NoBrain** · 01-10-11

Originally Posted by Predict

Somebody has been reading my posts.
P.S: This is related to Xampp.

Why quote the main thread? XD
Posted via Mobile Device

**Matthew** · 01-10-11

Originally Posted by Jupos

1) display_errors
Disable the display_errors is the first thing. If it is ‘ On ‘ the errors on execution will be displayed to the user’s browser window. So the user can get an idea about the table structure and directory structure. You can avoid this by disabling display_errors in php.ini
Usage : display_errors=OFF

Not really a big issue. If you're running a production website that's visible on the internet your CMS shouldn't have errors. Period.

Originally Posted by Jupos

2) safe_mode
safe_mode is more relevent in a shared server environment. If safe_mode is enabled it will check a UID/GID comparison check on the file/directory to be accessed and compare it to the uid/gid of the script that is trying to access the file. If that are same it will allow the file access if not it will block the access. If you want to compare only GID then you can enable ” safe_mode_gid” value in php.ini .

This is old, very old. Safe_mode is completely removed in later PHP builds. And even in the older ones it's caused more problems than its attempted to solve. Hence PHP removing it.

Originally Posted by Jupos

3) sql.safe_mode
Make sql.safe_mode as Off. If it is on mysqli_connect() and mysql_connect() will connect to mysql with default username and password.

Same as above. Removed, if not useless.

Originally Posted by Jupos

4) magic_quotes_gpc
Enable magic_quotes_gpc so that you can make your user inputs secure. It work s same as addslashes() function. It will add a backslash () with every single quotes, double quotes.

Same as above, being removed. magic_quotes as made for noobs in the early days as a way of combating SQL injections.

Originally Posted by Jupos

5) safe_mode_allowed_env_vars and safe_mode_allowed_env_vars
These two variables will protect environment variables from changing using user php scripts. The field safe_mode_allowed_env_vars contains a list of prefixes that identify the names of the environment variables the user is allowed to change. So that environment variables which are not starting with one of them defined in safe_mode_allowed_env_vars cannot be modified.
Another configuration safe_mode_protected_env_vars will set the names of environment variables that the user is not allowed to modify even if it is present in safe_mode_allowed_env_vars.

Never really heard of these, again I doubt these are even in PHP builds any more.

Originally Posted by Jupos

6) disable_functions
This will allow you to disable the insecure functions such as shell_exec, system,exec.

Now, I'm not flaming you. But I'm just stating what appears to be the facts. Also note the article date: "April 21st, 2007". Most if not everything on that article does not relate to later PHP builds and is obsolete.

Thanks for trying though.

**NoBrain** · 01-10-11

Im just trying to help Habbo community, thanks for your input!
Posted via Mobile Device

**dance.it** · 01-10-11

I actually found this quiet useful. Thanks mate ;)

**Subway** · 01-10-11

But who still uses xampp?
Posted via Mobile Device

**NoBrain** · 01-10-11

Originally Posted by Subway

But who still uses xampp?
Posted via Mobile Device

This applies to everyone using PHP. IIS uses PHP, nginx uses PHP etc.

**Joopie** · 01-10-11

Originally Posted by Subway

But who still uses xampp?
Posted via Mobile Device

xampp is a pack with php, mysql, apache etc in a handy installer.

x.x, But who did know that

**Vusion** · 01-10-11

I recommend AppServ honestly, it's PHP.ini is quite secure without even a single edit, and the fact that xampp has that webdav exploit(I know it takes 2 clicks to patch it but still) makes me hate xampp.

**NoBrain** · 01-10-11

Originally Posted by Vusion

I recommend AppServ honestly, it's PHP.ini is quite secure without even a single edit, and the fact that xampp has that webdav exploit(I know it takes 2 clicks to patch it but still) makes me hate xampp.

I use my owner Private Webserver, BrainServer. It's a mix of nginx, PHP, MySQL. Might be releasing it when it's finished. ;3

**vLife** · 01-10-11

XAMPP is used for people who develop. That's its whole purpose of it.
Was never meant to be used to run Private Servers on it.

**evilxeddie** · 01-10-11

Originally Posted by Jupos

Securing your PHP.INI file!

1) display_errors
Disable the display_errors is the first thing. If it is ‘ On ‘ the errors on execution will be displayed to the user’s browser window. So the user can get an idea about the table structure and directory structure. You can avoid this by disabling display_errors in php.ini
Usage : display_errors=OFF

2) safe_mode
safe_mode is more relevent in a shared server environment. If safe_mode is enabled it will check a UID/GID comparison check on the file/directory to be accessed and compare it to the uid/gid of the script that is trying to access the file. If that are same it will allow the file access if not it will block the access. If you want to compare only GID then you can enable ” safe_mode_gid” value in php.ini .

3) sql.safe_mode
Make sql.safe_mode as Off. If it is on mysqli_connect() and mysql_connect() will connect to mysql with default username and password.

4) magic_quotes_gpc
Enable magic_quotes_gpc so that you can make your user inputs secure. It work s same as addslashes() function. It will add a backslash () with every single quotes, double quotes.

5) safe_mode_allowed_env_vars and safe_mode_allowed_env_vars
These two variables will protect environment variables from changing using user php scripts. The field safe_mode_allowed_env_vars contains a list of prefixes that identify the names of the environment variables the user is allowed to change. So that environment variables which are not starting with one of them defined in safe_mode_allowed_env_vars cannot be modified.
Another configuration safe_mode_protected_env_vars will set the names of environment variables that the user is not allowed to modify even if it is present in safe_mode_allowed_env_vars.

6) disable_functions
This will allow you to disable the insecure functions such as shell_exec, system,exec.

This information was taken from: Secure Your PHP Scripts

This is win.....nice work

Mind if I link this in the Silkroad Section?(With you in the credits ofc) VSRO is huge and based strictly on an IIS Billing system. This is a must have and must know for the Silkroad Community.

**NoBrain** · 01-10-11

Originally Posted by evilxeddie

This is win.....nice work

Mind if I link this in the Silkroad Section?(With you in the credits ofc) VSRO is huge and based strictly on an IIS Billing system. This is a must have and must know for the Silkroad Community.

Sure, this thread is designed to help people.

Originally Posted by RetroX

XAMPP is used for people who develop. That's its whole purpose of it.
Was never meant to be used to run Private Servers on it.

this.

**Joopie** · 01-10-11

Originally Posted by Jupos

I use my owner Private Webserver, BrainServer. It's a mix of nginx, PHP, MySQL. Might be releasing it when it's finished. ;3

Lol'd, PHP and MySQL are stand-alone services x]

The webserver has nothing to-do with it.
It only execute it when needed.

Secure your PHP.INI file!

Thread Tools

Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Re: Secure your PHP.INI file!

Advertisement