• blog development
  • pingback dev
  • storing comments
  • trackback dev
  • trackback or pingback
• business blog
  • ATOM feed
  • new eu site
  • new partners
  • RSS feed
• dutch
  • webdesign limburg
• humor
• personal
  • blog start
  • blogrolling
  • ZEND certification
• php security
  • htaccess and php security
• script blog
  • session time outs
  • xml tryouts
• webdev blog
  • agile development
  • any browser
  • code validation
  • css validation
  • microformats and hcards
  • SAJAX

Blog Roll

Hardened-PHP Project News John Lim O'Reilly PHP DevCenter PHP Classes PHP DevCenter PHP Security Consortium PHP-Center php.net PHPBuilder.com Planet PHP Professional PHP Recipes PHP Cookbook Smoking PHP ThinkPHP Tobias Schlitt WeberDev Powered by Bloglines

Apache .htaccess and php security

As anybody who has worked with Apache's .htaccess can confirm, it is a mighty and dangerous tool! 

You can use it for several purposes like changing the default page, URL rewriting, redirection, securing directories, but not everybody knows that you can also use it to influence your PHP settings.

Normally PHP gets its environmental settings from php.ini, most of the time hidden (and not editable) for developers on a shared server.
But here comes the .htaccess functionality in play; you can change PHP initialization variables and default behavior through the use of a .htaccess file. You can also create different .htaccess files to use in different directories, so you have even more control.

Lets see how this works:

According to PHP security best practices settings there are a few environmental values that definitely need reviewing. And we need some changes in these settings to make sure PHP is optimally protected from malicious attacks or plain vulnerabilities.

• register_globals (should be off)
• allow_url_fopen (should be off)
• magic_quotes_gpc (should be off)
• magic_quotes_runtime (should be off)
• safe_mode and open_basedir (should be enabled, but also need some configuration which we will not address here )

Use phpinfo() and review above settings in your hosting environment. Some of those might be correct, while most of the time some are definitely not. Now open your existing .htaccess file (or create one) and add the following lines to it:

# set register globals off
php_value register_globals 0

# set allow_url_fopen off
php_value allow_url_fopen 0

# set magic_quotes_gpc off
php_value magic_quotes_gpc 0

# set magic_quotes_runtime off
php_value magic_quotes_runtime 0

Run phpinfo() again and review the changes.
Now thoroughly test your websites functionality. Does your code or website not work properly anymore? Well, you can disable (some of) the new settings by commenting them out with a # in front of the declaration, but I certainly recommend reviewing and hardening the code you use, or make sure you update or cross-grade to a more safely built version or alternative product of the script involved.

Remember I certainly recommend register_globals to be turned off, as this poses one of the greatest security holes in PHP default settings on a whole lot of shared hosting servers.

Send your comments to or post them right here!

Start > blog> php security> ...