checklist de segurança no php

Ao con­fig­u­rar o php é necessário ter em atenção alguns aspec­tos de segurança.

; php.ini
allow_url_fopen = Off ; Dis­able URLs for file han­dling functions

register_globals = Off ; Make sure this hell­ish fiend is dead

open_basedir = /var/www/htdocs/files ; Restrict file han­dling func­tions to a subdirectory

safe_mode = Off ; Dis­able this, the next is often more prac­ti­cal
safe_mode_gid = On ; Enable safe mode with group check
safe_mode_exec_dir = /var/www/binaries ; Restrict exe­cu­tion func­tions to this direc­tory
safe_mode_allowed_env_vars = PHP_ ; Restrict access to envi­ron­ment variables

max_execution_time = 30 ; Max script exe­cu­tion time
max_input_time = 60 ; Max time spent pars­ing inputs
memory_limit = 16M ; Max mem­ory size used by one script
upload_max_filesize = 2M ; Max upload file size
post_max_size = 8M ; Max post size

display_errors = Off ; Do not show errors on screen

log_errors = On ; Log errors to log file

expose_php = Off ; Hide pres­ence of PHP

# Apache con­fig­u­ra­tion or .htac­cess

Order allow,deny
Deny from all