|webdev blog carp fishing blog|
Apache .htaccess and php security
As anybody who has worked with Apache's .htaccess can confirm, it is a mighty and dangerous tool!
You can use it for several purposes like changing the default page, URL rewriting, redirection, securing directories, but not everybody knows that you can also use it to influence your PHP settings.
Normally PHP gets its environmental settings from php.ini, most of the time hidden (and not editable) for developers on a shared server.
Lets see how this works:
According to PHP security best practices settings there are a few environmental values that definitely need reviewing. And we need some changes in these settings to make sure PHP is optimally protected from malicious attacks or plain vulnerabilities.
Use phpinfo() and review above settings in your hosting environment. Some of those might be correct, while most of the time some are definitely not. Now open your existing .htaccess file (or create one) and add the following lines to it:
# set register globals off
# set allow_url_fopen off
# set magic_quotes_gpc off
# set magic_quotes_runtime off
Run phpinfo() again and review the changes.
Remember I certainly recommend register_globals to be turned off, as this poses one of the greatest security holes in PHP default settings on a whole lot of shared hosting servers.
There are no comments on this blog entry yet!
Send your comments to or post them right here!