Chapter 11:
Directive
Can Be Set in php.ini
Securing PHP
Can Be Set at Run Time with ini_set()
'disable_functions'
Yes
No
'disable_classes'
Yes
No
'allow_url_fopen'
Yes
Yes
'open_basedir'
Yes
Yes
'error_reporting'
Yes
Yes
'display_errors'
Yes
Yes
'log_errors'
Yes
Yes
'expose_php'
Yes
No
'max_input_time'
Yes
No
'session.name'
Yes
Yes
Table 11-2 PHP Security Directives
NOTE It is necessary to restart the Web server in order to activate changes made to the PHP configuration file, php.ini.
Summary This chapter focused specifically on security, discussing various techniques you can use to reduce the risk of damage (whether intended or accidental) to your PHP application. It showed you the basics of input and output sanitization, explained how to escape database input and defang third-party output, and offered tips on securing your application files, databases, and sessions. It also gave you a crash course in input validation, showing you how regular expressions, character type functions, and conditional tests may be used to check the validity of user input before using it in a calculation or database operation. While this chapter covered a lot of ground, it’s still only the tip of the iceberg: PHP security is a vast topic, and building a robust, attack-resistant application requires both experience and sound technical knowledge. Fortunately, acquiring expertise in this subject isn’t difficult; there are numerous resources available online to help you learn about potential attacks and plug loopholes in your application code. You’re encouraged to visit these to learn more about the topics discussed in this chapter: ●
An overview of PHP security issues, at www.php.net/security
●
The PHP Security Guide, at www.phpsec.org/projects/guide/
375