/etc/php5/apache2/php.ini values I set to "Off":

I don't bother with any of the safe_mode variables, for reasons cited here: http://ilia.ws/archives/18_PHPs_safe_mode_or_how_not_to_implement_security.html

I set "error_reporting = E_ALL". This gives notice of uninitialised variables, among other things.

I also add "disable_functions = dl, phpinfo, system, mail, shell_exec, exec, escapeshellarg, escapeshellcmd, passthru, proc_close, proc_open, proc_get_status, proc_nice, proc_open, proc_terminate, popen, pclose, chown, disk_free_space, disk_total_space, diskfreespace, fileinode, max_execution_time, set_time_limit,highlight_file, show_source", to block scripts' ability to invoke inherently dangerous PHP access to system commands. (If ever desirable, those should be enabled on an as-needed, explicit per-command basis. Please note that the foregoing list is from PHP5. Some functions cited may not even be supported in some prior PHP versions.)

Why register_globals was always a bad idea and was disabled by default (and heavily discouraged) starting with PHP 4.2.0: http://en.wikibooks.org/wiki/Programming:PHP:Register_Globals

Recognition of, and explantion of, the problem as of the PHP 4.1.0 release: http://www.php.net/release_4_1_0.php

Values in /etc/php5/apache2/php.ini that I change from their "Off" defaults to "On":

I also uncomment "error_log=syslog" (since debugging information should go there and not to the public Web).

My distro furnishes a couple of prototype php.ini files:


The former was evidently furnished by Javier Fernández-Sanguino Peña (jfs@debian.org).[1] I'll soon be diff'ing it against my own. There might be an article in it. ;->

http://phpsec.org/ (PHP Security Consortium site)
http://www.php.net/features.safe-mode (Safe mode features of PHP)
http://shiflett.org/archive/81 (Chris Shiflett's talks on PHP security)
http://www.phpsecure.info/ (PHP security site)

David Wheeler has some worthwhile observations about PHP security in the Secure Programming for Linux and Unix HOWTO:

The Debian Administration Web site has: "Tightening PHP Security", at http://www.debian-administration.org/articles/138.

[1] Googling on that filename, one finds http://olympus.het.brown.edu/cgi-bin/dwww?type=file&location=/usr/share/doc/libapache2-mod-php4/examples/php.ini-paranoid, which is probably the same file.