The highest security level with settings in PHP file

notset

Hello,

Could be my site more secured using only settings which are available in PHP file than it's with these options?

<?php
ini_set('safe_mode', 1);
ini_set('url_rewriter.tags', 0);
ini_set('register_globals', 0);
ini_set('magic_quotes_gpc', 0);
ini_set('open_basedir', dirname(__FILE__).'/');

error_reporting(0);

session_save_path(dirname(__FILE__).'/sessions');
session_name('s');
session_start();
?>

visualAd

Short anwser, no, that code does nothing to "secure" a script. Aside from the fact that the only call to ini_set that will actually work it url_rewriter.tags (the other settings can only be set in the php.ini file or .htaccess files for security reasons), the storing of sessions in a directory under the document root makes it even less secure.

None the less here are a few tips which you should follow:

If you can get access to the php.ini file, set the open_basedir and settings and ensure that register globals is turned off.
You can turn on safe_mode but don't let it draw you into a false sense of security. Safe mode doesn't make PHP safe, it merely allows you to set additional settings which restrict what your scripts can and cannot do.
Turn error reporting ON error_reporting(E_ALL) and send errors to a file using the error_log setting. Have PHP email you the file every day. If you have written your scripts properly the file should be empty 😉
DO NOT store session files in a directory which is under the document root and if you do not have a choice, ensure that the directory has strict permissions which allows only PHP to see them. If your host doesn't allow you to set permissions or store a file above the document root, find a new host.
Most importantly, check ALL user input. This includes, cookies, post and get variables. Also check data from other sources i.e: web services and any programs your script may invoke. This is often the weakest point of any PHP script.

You should check that all user submitted variables contain the data you expect and no other. If the data is to be inserted into a database, XML document or command string, it must be appropriatly escaped.
Lastly, if you are running your own server, ensure you have the latest version of PHP installed and the latest versions of any libraries PHP links against.

Security is something that should be a habbit and form part of any peice of code you write. There is not a single peice of code you can insert at the top of your script which will make them it secure and while PHP has huge potential and flexibility, a poorly written script can spell disaster for your web site and the server it runs on.

rocklv

Generally, system administrator would not give you the access to modify php.ini.

MarkR

rocklv wrote:
Generally, system administrator would not give you the access to modify php.ini.

In which case, they're a lousy systems administrator. Their job is to make it easy for developers to deploy secure applications. Refusing to modify php.ini is not doing so. They should be sacked by management and you should get a new one.

register_globals cannot be (usefully) set with ini_set, nor can magic_quotes_gpc.

If you use sessions, set session.use_only_cookies to true - this will prevent any possibility that someone can do session fixation attacks via the query string
Write an error handler which records verbose error reports on to the PHP error log and/or by email, but shows the user a stock error page

BUT the best advice I can give you is to use a systematic application-wide system for defeating the following categories of attack:
- SQL injection (Fix: use parameterised queries throughout application, and/or a do a careful audit of all SQL commands)
- Cross-site scripting (Fix: use a templating system which makes it easy for you to escape everything in HTML as necessary; do so systematically)

Because a single hole is sufficient for an attacker, you must address security problems across your entire application rather than sticking a few lines in a header and forgetting about it.

Mark

notset

Thank's for comments.

I know about Cross-site scripting, SQL injection and etc.

Now i wan't to do everything what is possible to secure my script outside it in shared hosting, where no php.ini and no httpf.conf.

From visualAd's post i make conclusion that i need to use .htaccess for PHP settings instead of .php file.

DO NOT store session files in a directory which is under the document root and if you do not have a choice, ensure that the directory has strict permissions which allows only PHP to see them. If your host doesn't allow you to set permissions or store a file above the document root, find a new host.

But if my site is in shared hosting - it isn't more secure to store session files inside the doc. root and put .htaccess file there with "Deny from all" ?

Options None
AddDefaultCharset utf-8
php_flag log_errors 1
php_flag register_globals 0
php_flag magic_quotes_gpc 0
php_flag url_rewriter.tags 0
php_flag session.auto_start 1
php_value session.save_path "<???>"
php_value include_path "<root script path>"
<Files ~ "^\._*">
	Order Deny,Allow
	Deny from All
</Files>
ErrorDocument 400 error
ErrorDocument 401 error
ErrorDocument 403 error
ErrorDocument 404 error
ErrorDocument 405 error
ErrorDocument 500 error
ErrorDocument 501 error
ErrorDocument 502 error
ErrorDocument 503 error

So, in my header.php file left only error_reporting(E_ALL);

Another question: maybe exists a variable which i could use in .htaccess to define the directory in which this file is located?

visualAd

Look here. Only settings marked as PHP_INI_ALL and PHP_INI_PERDIR can be changed in a .htaccess file.

notset

visualAd wrote:
Look here. Only settings marked as PHP_INI_ALL and PHP_INI_PERDIR can be changed in a .htaccess file.

I already looked to that page before pasting my .htaccess content. What's wrong?

visualAd

Ignore that :p - I thought register_globals was PHP_INI_SYSTEM.

If you want to set the include path to the directory path of the running script set it to "."; i.e: current directory only.

MarkR

I recommend that you do as little in .htaccess as possible, and do as much in PHP as possible- this will make your application easier to maintain, as the PHP can do whatever it likes whereas .htaccess is limited.

Therefore the only things you need to set in .htaccess are things which cannot be set in PHP because it's "too late" - e.g. magic quotes, register_globals etc.

Disable session.auto_start in .htaccess, then manually set the session parameters as you like in PHP and call session_start() after you've got it set up appropriately.

This will mean that you don't need to hard code any paths. You can store the sessions in an application directory if you like.

As far as denying web access to include, data directories etc, is concerned, I normally put in a .htaccess in those directories themselves, containing the single line:

Deny From All

Which does the job nicely.

Mark

notset

Thank's for reply, MarkR. You very helped me.

So, my .htaccess now after some modifications:

Options None
AddDefaultCharset utf-8
php_flag register_globals 0
php_flag magic_quotes_gpc 0
php_flag session.auto_start 0
<Files ~ "^\._*">
	Order Deny,Allow
	Deny from All
</Files>
ErrorDocument 400 error
ErrorDocument 401 error
ErrorDocument 403 error
ErrorDocument 404 error
ErrorDocument 405 error
ErrorDocument 500 error
ErrorDocument 501 error
ErrorDocument 502 error
ErrorDocument 503 error

And header.php:

<?php
ini_set('url_rewriter.tags', 0);
ini_set('error_log', dirname(__FILE__).'/cache/errors.log');

error_reporting(E_ALL);

session_save_path(dirname(__FILE__).'/cache/sessions');
session_name('s');
session_start();
?>

There is a .htaccess file with "Deny from all" in directory '/cache'.

What else i should add or change?