wowpatrick
Reputation: 5180
How to set up a secure PHP environment on a wide base of PHP configurations
I'm just finishing a CMS that I want to release as open source. The program has some ini_set() directives to set a secure environment, like session.use_only_cookies, etc. The problem is that some hosts don't allow ini_set() and only allow configuration with the php.ini file. Is there a way to set up a secure PHP environment on a wide base of PHP configurations? How do other PHP programs face this problem (e.g. Wordpress, Drupal etc.).
Upvotes: 1
Views: 163
Answers (2)
Pascal MARTIN
Reputation: 401182
Generally speaking :
- In your software :
- try to not depend on too many system-wide settings
- have something that works with default settings (see the php.ini file(s) that are provided with a default PHP installation -- both from php.net, and from the major Linux distributions)
- Write some short and clear list of requirements
- Code some kind of installation script, that will :
- check automatically for those requirements,
- and explain how to set those that are not properly configured
Upvotes: 2
Pekka
Reputation: 449803
You could output a warning if you encounter a setting that you deem unsecure.
Many web apps do it that way, e.g. if the install script isn't deleted, or the administrator has a default password.
Upvotes: 0
Related Questions
- Does php have an equivalent to python's virtualenv or ruby's sandbox?
- PHP security: include and config.ini
- Safe working with multiple *.ini in php
- Security and .ini file
- Overriding PHP.ini in a shared development environment
- Alternative to storing PHP config values in php.ini
- Best practice to hide/secure the php-engine config file?
- PHP app - how and where is the best way to safe settings
- Using config.ini for a project
- Best Practices for creating a PHP INI/CONFIG file and keep it secure