When
you write PHP
applications
and general guidelines for writing secure Web applications apply. The
most important rule is to take care of all user input. Before this
entry is used by the application must be carefully validated.
With
the built-in PHP session, it is important to properly manage to
prevent session fixation attacks. Moreover, the default method to
store session data in the file system must be replaced by custom
methods that store data in a database.
A
problem that is not directly in the area of responsibility of the PHP
developer of web
applications is security in shared hosting scenarios. Usually, it is
advisable to use PHP shared hosting environments for safety-critical
applications.
Especially
when the PHP
interpreter runs as an
Apache module, all scripts run with the techniques of the web server
user. Therefore, all scripts have potential access to all virtual
hosts with all the directories in the system. Thus, it is possible to
access files on other hosting customers. Now we should know the PHP
safe mode;
PHP
safe mode is an attempt to solve this problem. However, approaches
the problem with PHP, not the operating system. So the problem could
be open, depending on what other languages are allowed in the housing
system.
The
following configuration directives can be used for configuring Safe
Mode restrictions:
1. safe_mode
– Turns Safe Mode on and off.
2. safe_mode_gid
– By default Safe Mode limits access to those files that have the
same owner as script file. This option relaxes this restriction to
files that have the same group owner.
3. safe_mode_include_dir
– This option defines a list of directories. For in-clued files
within these directories the owner and group owner restrictions do
not apply.
4. safe_mode_exec_dir
– This option defines a list of directories. Functions like system
() that call system function, can only execute files that reside in
the defined directories.
5. safe_mode_allowed_env_vars
– This option defines a prefix for environment variables. PHP
scripts can only set variables with this prefix.
6. safe_mode_protected_env_vars
– This option defines a list of environment variables PHP scripts
are not allowed to change.
7. open_basedir
– This option defines a path prefix. If defined, PHP scripts can
only access files with a path that begins with the defined prefix.
8. disable_functions
– This option defines a list of PHP functions that are disabled and
cannot be executed by PHP scripts.
9. disable_classes
– This option defines a list of disabled PHP classes. These classes
cannot be accessed by scripts.
Although
based on a conceptual error safe mode it operates on the wrong layer,
it can help reduce risk. This is true not only for shared hosting
scenarios, as well as dedicated web servers that host a single
application.
For
example, by restricting access to files of a specific path and
debilitating act as a system () can help limit damage when a hacker
finds a way to inject code.
Recommendations:
Do
not use PHP Safe Mode as an substitute for proper programming and
input validation.
Only
use it as an additional line of defense.
Consider
the usage of Safe Mode even on dedicated web servers that host a
single application.
The
configuration options are most important to the PHP
interpreter is
Register Globals. This function must be turned off and the
applications should never use this feature. Moreover, the error
reporting functionality of the PHP interpreter must be configured
correctly. Error messages should never be displayed to the user. They
must be written in local newspapers. For all relevant information to
the extent of reported error messages should be lowered.
To
know more about company click:
Developer and programmers, Php
Development Company, Php
Development India, Php Developer India, Php
Web Development Company, Php Web Development India
Related
Links: Hire
Php Web Developer they can help and maintain your website. Php
Web Development, Php Website Developer, Php Web Developer India, Hire
Php Programmer India, Php Programmer
Hi,
ReplyDeletejust a moment back I was searching for the information on the same topic and now I am here. So much information, really well executed blog. This is really informative and I will for sure refer my friends the same.
I am share this blog Web Development Agency
Thanks
This post is really very much informative for the security point of view.
ReplyDeleteJoomla Developer India