webdev blog carp fishing blog

Blog Roll
Jul 7, 2006

Apache .htaccess and php security

As anybody who has worked with Apache's .htaccess can confirm, it is a mighty and dangerous tool! 

You can use it for several purposes like changing the default page, URL rewriting, redirection, securing directories, but not everybody knows that you can also use it to influence your PHP settings.

Normally PHP gets its environmental settings from php.ini, most of the time hidden (and not editable) for developers on a shared server.
But here comes the .htaccess functionality in play; you can change PHP initialization variables and default behavior through the use of a .htaccess file. You can also create different .htaccess files to use in different directories, so you have even more control.

Lets see how this works:

According to PHP security best practices settings there are a few environmental values that definitely need reviewing. And we need some changes in these settings to make sure PHP is optimally protected from malicious attacks or plain vulnerabilities.

  • register_globals (should be off)
  • allow_url_fopen (should be off)
  • magic_quotes_gpc (should be off)
  • magic_quotes_runtime (should be off)
  • safe_mode and open_basedir (should be enabled, but also need some configuration which we will not address here )

Use phpinfo() and review above settings in your hosting environment. Some of those might be correct, while most of the time some are definitely not. Now open your existing .htaccess file (or create one) and add the following lines to it:

# set register globals off
php_value register_globals 0
# set allow_url_fopen off
php_value allow_url_fopen 0
# set magic_quotes_gpc off
php_value magic_quotes_gpc 0
# set magic_quotes_runtime off
php_value magic_quotes_runtime 0

Run phpinfo() again and review the changes.
Now thoroughly test your websites functionality. Does your code or website not work properly anymore? Well, you can disable (some of) the new settings by commenting them out with a # in front of the declaration, but I certainly recommend reviewing and hardening the code you use, or make sure you update or cross-grade to a more safely built version or alternative product of the script involved.

Remember I certainly recommend register_globals to be turned off, as this poses one of the greatest security holes in PHP default settings on a whole lot of shared hosting servers.

There are no comments on this blog entry yet!

Send your comments to or post them right here!

name e-mail
comment title website url

Start > blog> php security> ...

inloggen validate