Zend PHP 5 – Security – Configuration

Display Errors

Unless you are in a closed development state, there are certain configuration directive that should be disabled for security reasons. The “display_errors” directive should be disabled, and all error messages should be passed to system log files using the “log_errors” directive.

This prevents your environment from presenting sensitive information to the public.

You can disable display_errors and enable error logging in the php.ini file in your live environment by adding the following:

; Disable display_errors for security reasons
display_errors = 'off'
log_errors = 'on'

These directives can also be added in the .htaccess file, or in apache’s httpd.conf file:

# Disable display_errors for security reasons
php_flag  display_errors  off
php_flag  log_errors  on

Error Reporting

You can specify the level of PHP errors that are reported using the error_reporting() PHP function.

In a development environment, it is a good idea to set this to the following within the php.ini file:

error_reporting = E_ALL

This reports all PHP errors. In a live environment, is it a good idea to report errors except E_STRICT and E_DEPRECATED constants. This can be written like so:

error_reporting = E_ALL & ~E_STRICT & ~E_DEPRECATED

PHP installed as an apache module

When PHP is used as an Apache module it inherits Apache’s user permissions (typically those of the “nobody” user).

This has several impacts on security and authorisation. For example, if you are using PHP to access a database, unless that database has built-in access control, you will have to make the database accessible to the “nobody” user.

This means a malicious script could access and modify the database, even without a username and password.

This is where the open_basedir directive comes into effect. The open_basedir directive defines the locations or paths from which PHP is allowed to access files using functions like fopen() and gzopen(). If a file is outside of the paths defined by open_basdir, PHP will refuse to open it.

You can define the open_basedir directive within php.ini:

open_basedir = "/htdocs/somedirectory"

Or within apache’s httpd.conf file:

<VirtualHost 123.123.123.123:80>
    <Directory /htdocs/somedirectory>
        php_admin_value open_basedir "/htdocs/somedirectory"
    </Directory>
</VirtualHost>

Note: This article is based on PHP version 5.5.