{"id":869,"date":"2011-11-04T10:53:55","date_gmt":"2011-11-04T03:53:55","guid":{"rendered":"https:\/\/www.whplus.com\/blog\/?p=869"},"modified":"2019-03-27T13:44:08","modified_gmt":"2019-03-27T06:44:08","slug":"securing-php-ini","status":"publish","type":"post","link":"https:\/\/www.whplus.com\/blog\/2011\/11\/04\/securing-php-ini.html","title":{"rendered":"Securing php.ini"},"content":{"rendered":"

Disabling Functionality <\/strong><\/p>\n

There are certain functions in PHP that we don\u2019t want users to use because of the danger they are. Even if you know your users aren\u2019t utilizing certain functions it is wise to completely disable them so an attacker can\u2019t use them. This security precaution is especially effective at stopping an attacker who has somehow managed to upload a PHP script, write one to the filesystem, or even include a remote PHP file. By disabling functionality you ensure that you can limit the effectiveness of these types of attacks. Of course, there are always users who\u2019s to complain these, but We say sorry! Use Virtual Private Server and run itself what you want.<\/p>\n

disable_functions = exec, system, passthru, shell_exec, escapeshellarg, escapeshellcmd, proc_close, proc_open, dl, popen, show_source, posix_kill, posix_mkfifo, posix_getpwuid, posix_setpgid, posix_setsid, posix_setuid, posix_setgid, posix_seteuid, posix_setegid, posix_uname<\/code><\/p>\n

Disable Remote File Includes<\/strong><\/p>\n

Attackers will often attempt to identify file inclusion vulnerabilities in applications then use them to include malicious PHP scripts that they write. Even if an attacker doesn\u2019t have write access to the web application directories if remote file inclusion is enabled the attacker can host malicious PHP scripts on other servers and the web application will fetch them and execute them locally!<\/p>\n

We don\u2019t block url_fopen our hosting environment, because cause lot of problems to websites!<\/p>\n

allow_url_fopen = On
\nallow_url_include = Off<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"

Disabling Functionality There are certain functions in PHP that we don\u2019t want users to use because of the danger they are. Even if you know your users aren\u2019t utilizing certain functions it is wise to completely disable them so an attacker can\u2019t use them. This security precaution is especially effective at stopping an attacker who\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-869","post","type-post","status-publish","format-standard","hentry","category-tutorial"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t