Elxis CMS Forum
Support => Security => Topic started by: CREATIVE Options on September 30, 2007, 23:08:52
-
Register Globals
Elxis works with register_globals disabled
In php.ini:
register_globals off
Note : If you cannot change the php configuration, try with .htaccess file :
php_flag register_globals off
Allow url open
In php.ini :
allow_url_fopen off
http://www.php.net/manual/en/ini.php (http://www.php.net/manual/en/ini.php)
http://www.php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen (http://www.php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen)
Error Reporting
On production server, we suggest you to disable the display of error messages.
In php.ini :
log_errors On
display_errors Off
error_log /var/log/php/errors
Note : the folder /var/log/php must be writable by webserver user (www-data, httpd, ...)
Disable functions
You can disable these functions
In php.ini :
disable_functions = proc_open , popen, disk_free_space, diskfreespace, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru
Open_basedir
Sample of use in apache configuration :
<VirtualHost 127.0.0.1>
DocumentRoot /home/www/somewhere.com/html
ServerName somewhere.com
ServerAlias www.somewhere.com
php_admin_value open_basedir /home/www/somewhere.com/
</VirtualHost>
Safe mode
http://www.php.net/manual/en/features.safe-mode.php#ini.safe-mode (http://www.php.net/manual/en/features.safe-mode.php#ini.safe-mode)
Functions restricted/disabled by safe mode
http://www.php.net/manual/en/features.safe-mode.functions.php (http://www.php.net/manual/en/features.safe-mode.functions.php)
Mysql
http://greg.chiaraquartet.net/archives/124-Protecting-a-MySQL-userpassword-in-a-PHP-script.html (http://greg.chiaraquartet.net/archives/124-Protecting-a-MySQL-userpassword-in-a-PHP-script.html)