Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP 10.0 Blog:
Production mode
Dec 18, 2006 @ 08:43:00

In an effort to get some thought going about ways to encourage security in PHP applications, Stas has posted an idea about a simplified php.ini setting - production=On.

His idea is that, with this setting on, the PHP installation would:

  • disable display errors
  • disable phpinfo()
  • turn expose_php off
  • make max_execution_time/memory_limit reasonable
  • and possibly a few others that some developers forget to set correctly
Comments on the post range from disagreement to suggestions on improvement and support.

tagged: production mode phpini setting phpinfo exposephp displayerrors production mode phpini setting phpinfo exposephp displayerrors

Link:

PHP 10.0 Blog:
Production mode
Dec 18, 2006 @ 08:43:00

In an effort to get some thought going about ways to encourage security in PHP applications, Stas has posted an idea about a simplified php.ini setting - production=On.

His idea is that, with this setting on, the PHP installation would:

  • disable display errors
  • disable phpinfo()
  • turn expose_php off
  • make max_execution_time/memory_limit reasonable
  • and possibly a few others that some developers forget to set correctly
Comments on the post range from disagreement to suggestions on improvement and support.

tagged: production mode phpini setting phpinfo exposephp displayerrors production mode phpini setting phpinfo exposephp displayerrors

Link:

PHP Security Blog:
A Trio of Javascript Issues
Dec 01, 2006 @ 13:22:28

On the PHP Security Blog, there's three new posts that Stefan Esser has written up that demonstrate some of the more destructive uses of Javascript that he's found:

While the first two are interesting, it's the last of these that most directly applies to PHP. He gives a simple "proof of concept" that checks to see if the embedded image is the correct "size" to be related to a webserver running PHP with the expose_php setting set to "on".

tagged: javascript security issue portscan http auth firefox exposephp scan javascript security issue portscan http auth firefox exposephp scan

Link:

PHP Security Blog:
A Trio of Javascript Issues
Dec 01, 2006 @ 13:22:28

On the PHP Security Blog, there's three new posts that Stefan Esser has written up that demonstrate some of the more destructive uses of Javascript that he's found:

While the first two are interesting, it's the last of these that most directly applies to PHP. He gives a simple "proof of concept" that checks to see if the embedded image is the correct "size" to be related to a webserver running PHP with the expose_php setting set to "on".

tagged: javascript security issue portscan http auth firefox exposephp scan javascript security issue portscan http auth firefox exposephp scan

Link: