It is impossible to achieve a high level of security for PHP applications in a production environment. However, with some security tips, you can avoid common mistakes and protect yourself from the most frequent attacks.
When using PHP in a production environment, you should have the following settings in php.ini:
safe_mode = Off register_globals = Off expose_php = Off allow_url_fopen = Off allow_url_include = Off log_errors = On display_errors = Off error_log = /var/log/phperror.log memory_limit = 32M post_max_size = 12M upload_max_filesize = 8M max_execution_time = 120 max_input_time = 60 enable_dl = Off disable_functions="popen,exec,system,passthru,proc_open,shell_exec,show_source,phpinfo,eval" session.use_only_cookies = 1
All PHP errors will be stored in file /var/log/phperror.log. The following lines creates it and set the permissions:
touch /var/log/phperror.log chmod 666 /var/log/phperror.log
Below is a description of directives used to secure PHP:
It is primarily intended to provide file access limits to prevent users from accessing files that do no belong to them. This setting will be depreciated and should be avoided.
Disables automatic variable creation. This means that all PHP script must use the $_REQUEST, $_GET, or $_POST arrays to retrieve user-provided data. This directive is responsible for many security issues in web applications because it allowed attackers to freely manipulate global variables.
Hide PHP Version in Apache from remote users requests. Obviously there is no reason to let end users know about the server's PHP version.
This directive allows to reference remote resources as if they are local files. It is recommended to leave it disabled unless your application requires it.
This directive allows to include/require remote resources as if they are local files. As above directive, it is recommended to leave it disabled.
When enabled, log_errors instructs PHP to log all errors to the file indicated by the error_log directive.
PHP error messages display should be disabled on production servers to avoid information leaks about your system environment from badly written scripts.
All PHP errors will be stored in file /var/log/phperror.log. The two above lines creates that file
To prevent poorly written scripts from consuming all of the available memory, this directive can be used to indicate a maximum amount of memory consumed by a script.
Controls the size of HTTP form submissions. You may tweak the values to suit your needs.
Maximum allowed size for uploaded files
Maximum execution time of each script. You may tweak the values to suit your need.
Maximum amount of time each script may spend parsing request data.
This directive is used to enable or disable the dl() function that allows runtime loading of PHP extensions. It makes possible to bypass some restrictions, so it is recommended to be disabled unless your application requires it.
Directive allows to disable several security-sensitive functions. Previously, this necessitated hand-editing the C code from which PHP was made. For functions reference you can use this list
Reduce the risk of session fixation by only allowing session IDs to be passed as cookies. In other words enabling this setting prevents attacks involved passing session ids in URLs.