Someone asked me what are the things to be consider when creating your own php.ini. I said of course disable global variables, upload / resources limits and session timeout. If you use php language then the odds are you may need to consider using a custom php.ini at some point. Here is my PHP configuration that I encourage you to have on your web server that I checked after .

Turn off Register Globals

register_globals = off

If you code with register_globals OFF, you only need to make sure you don’t leave any uninitialised variables that can be abused by attackers. But whether it’s on or off you will still need to validate any user input, so I prefer register_globals OFF, as it saves having to prefix all my variables with $_POST etc.

Avoid Opening Remote Files

allow_url_fopen = off

One of the useful abilities of PHP is the ability to open files remotely without any complex processing.

Many simple scripts use this ability, for example a comic viewer might open up images from a remote server just using the fopen function - which is ordinarily used to open files.

It is an ability has often been abused in insecure scripts though.

If you have a script which tries to open a file and the filename is controllable by a remote user two things can happen:

• Any file on the local system which the webserver can read can be viewed by the remote attacker.
• Arbitary commands can be executed upon your server if the user can cause a remote PHP file to be opened.

Disable session use_trans_sid

session.use_trans_sid = 0

PHP will add a unique PHPSESSID query pair to URIs within your site if cookies are not available and session.use_trans_sid is set. While this helps people who do not accept cookies, search engines will rank your site low.

With the release of PHP version 4.2.0 you don’t need to configure PHP with –enable-trans-sid to have transparent session support, this means that a lot more hosts will have it.

Without this feature you can usually choose between sending cookies to the visitor and modifying the URLs, with cookies being the default setting. Cookies do no harm (most of the time) but appending a query string to all URLs is quite different.

Turn on log_error and display_errors off

log_errors on
display_errors off

Disable Dangerous PHP Functions

disable_functions = proc_open , popen, disk_free_space, diskfreespace, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru

Turn on safe_mode

I highly recommend you enable safe_mode on production servers, especially in shared environments. This will stop exec functions and others that can easily prevent a security breach.