PHP Security Tips – Securing PHP by hardening PHP configuration

When it comes to security, ignorance is definitely not blissful. There are several methods to increase the security of your PHP environment.

In this article I will discuss how to secure PHP by hardening PHP 5 configuration.

1. allow_url_fopen ( enabled by default )

This directive allows PHP's file functions ( file_get_contents, include and require statements ) to retrieve data from remote locations, like FTP or HTTP.

If an attacker can manipulate the arguments to those functions, they can use a URL under their control as the argument and run their own remote scripts. The vulnerability is called Remote file inclusion or RFI.

; Disable allow_url_fopen in php.ini for security reasons
allow_url_fopen = Off

The setting can also be applied in apache's httpd.conf :

# Disable allow_url_fopen for security reasons
php_admin_flag allow_url_fopen Off

It prevents URLs from being used in PHP. A command like include ("") will not be allowed to execute. Only files that reside within your site can be included: include("/var/www/html/").

Print This Post Print This Post