PHP Security

When i started my linux career I had to learn a lot about security and the
php.ini file

Some security features that I employ with php are the suhosin patch
get @

http://www.hardened-php.net/suhosin/

Plus here is my custom php.ini


```php

engine = On
short_open_tag = On
asp_tags = On
precision = 10
y2k_compliance = On
output_buffering = On
zlib.output_compression = On
implicit_flush = Off
unserialize_callback_func =
serialize_precision = 100
allow_call_time_pass_reference = On

safe_mode = On
safe_mode_gid = Off
safe_mode_include_dir =
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH

disable_functions = chmod, chown, chgrp, exec, shell_exec, curl_multi_exec, parse_ini_file, show_source, passthru, popen, proc_open, escapeshellcmd, escapeshellarg, proc_nice, proc_close, proc_get_status, proc_terminate, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, symlink, ini_alter, ini_get_all, ini_restore, leak, mysql_list_dbs, setlimit, set_time_limit, getmyuid, getmypid, getrusage, get_current_use, highlight_file, diskfreespace, disk_free_space, disk_total_space, pclose, pfsockopen, pcntl_exec, execute, system

disable_classes = "pBot"
expose_php = On

max_execution_time = 30
max_input_time = 30
memory_limit = 99M

; error logging
error_reporting = E_ALL & ~E_NOTICE
display_errors = On
display_startup_errors = Off
log_errors = On
ignore_repeated_errors = On
ignore_repeated_source = On
report_memleaks = Off
track_errors = Off
html_errors = Off
error_log = error_log
xmlrpc_errors = Off
xmlrpc_error_number = 0

; variables
variables_order = "EGPCS"
register_globals = Off
register_argc_argv = Off
register_long_arrays = Off
post_max_size = 100M
gpc_order = "GPC"

; magic quotes
magic_quotes_gpc = On
magic_quotes_runtime = Off
magic_quotes_sybase = Off

auto_prepend_file =
auto_append_file =

; doesn't apache do this?
default_mimetype = "text/html"
default_charset = "iso-8859-1"

always_populate_raw_post_data = Off

; File Uploads ;
file_uploads = On
;upload_tmp_dir =
upload_max_filesize = 99M
enable_dl = On

; Fopen wrappers ;
allow_url_fopen = On
user_agent="PHP"
default_socket_timeout = 3056
auto_detect_line_endings = On

; Module Settings

[Syslog]
define_syslog_variables = Off
[mail function]
smtp_port = 25
sendmail_path = "/usr/sbin/sendmail -t -i"
[Java]
;java.class.path = .\\php_java.jar
;java.home = c:\\jdk
;java.library = c:\\jdk\\jre\\bin\\hotspot\\jvm.dll
;java.library.path = .\\
[SQL]
sql.safe_mode = Off

[ODBC]
;odbc.default_db    =  Not yet implemented
;odbc.default_user  =  Not yet implemented
;odbc.default_pw    =  Not yet implemented
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1

[bcmath]
bcmath.scale = 2

[MySQL]
mysql.allow_persistent = On
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port =
mysql.default_socket =
mysql.default_host =
mysql.default_user =
mysql.default_password =
mysql.connect_timeout = 30
mysql.trace_mode = Off

[mSQL]
msql.allow_persistent = On
msql.max_persistent = -1
msql.max_links = -1

[PostgresSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0

[Session]
session.save_handler = files
session.save_path = /tmp
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = "/"
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 100
session.gc_maxlifetime = 1440
session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file = /dev/urandom
session.entropy_length = 32
session.cache_limiter = nocache
session.cache_expire = 30
session.use_trans_sid = 0
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

[Assertion]
assert.active = Off
assert.warning = Off
assert.bail = Off
assert.callback = 0
assert.quiet_eval = 0

date.timezone="Europe/Berlin"

Hope this helps future linux admins :slight_smile: