Previous post Basic Security Related PHP Directives showed us the basic set of PHP directives which significantly affects security of not PHP apps only. This article increases the spectrum of PHP security related configuration directives.
disable_functions (string)
Scope: PHP_INI_SYSTEM | Default value: Null
If you think that safe mode limits you too much, you can use this directive to disable some potentially unsecure functions only. For example, disable_functions = fopen,popen,file disables functions fopen(), popen() and file(). This directive doesn’t depend on status of safe mode (on/off).
disable_classes (string)
Scope: PHP_INI_SYSTEM | Default value: Null
This directive allows you to disable some of your own PHP classes which you don’t want to expose to others. For example, disable_classes = "administrator, accounting" you’ll completely turn these classes off. Effect of this directive doesn’t depend on safe_mode.
doc_root (string)
Scope: PHP_INI_SYSTEM | Default value: Null
By this directive you can set the path, which specifies the root directory from which PHP files will be served. If directive doc_root is not set (is empty), it will be ignored and PHP scripts will be executed as are specified by the URL. In the case when safe mode is on and doc_root is not empty, there are no PHP scripts executed outside of path specified by this directive.
max_execution_time (integer)
Scope: PHP_INI_ALL | Default value: 30
This directive specifies how long the script can run before will be terminated. By using this directive you can prevent scripts to consume all CPU time. It’s set up to 30 seconds by default. Set to 0 (zero) means no limit.
memory_limit (integer)
Scope: PHP_INI_ALL | Default value: 8M
Directive specifies how much memory the script may use. Default value is 8 MB. There are no other units besides megabytes allowed and there must be the letter M stated after value. This directive is effective when PHP was configured with option --enable-memory-limit on only.
open_basedir (string)
Scope: PHP_INI_SYSTEM | Default value: Null
By directive open_basedir you can create directory on which all PHP file operations will be limited. This is something like DocumentRoot for Apache. You can prevent users to access areas which are not authorized for them. Let’s supose your web content is located in /home/www. You might want to prevent users to disclose files like /etc/passwd and manipulate with them by couple of PHP simple commands. This could be done by setting open_basedir = "/home/www/". The effect of this directive does not depend on safe_mode directive.
sql.safe_mode (integer)
Scope: PHP_INI_SYSTEM | Default value: 0
If the sql.safe_mode is on, PHP ignores all information passed into mysql_connect() and mysql_pconnect() in which something other than localhost is used as the target host. The user under which PHP runs will be used as username, no password is used.
user_dir (string)
Scope: PHP_INI_SYSTEM | Default value: Null
This directive specifies name of directory in the user home directory in which PHP scripts must be located to be authorized to execute. For example, if user_dir is set up to scripts and “Johny” wants to execute somescript.php, Johny must create directory named scripts in his home directory and place somescript.php in there. Access to that script si via the URL http://www.example.com/~johny/scripts/somescript.php. user_dir is very often used together with configuration directive UserDir of Apache.