Introduction

PHP is a powerful language and the interpreter, whether includedin a web server as a module or executed as a separateCGI binary, is able to access files, executecommands and open network connections on the server. Theseproperties make anything run on a web server insecure by default.PHP is designed specifically to be a more secure language forwriting CGI programs than Perl or C, and with correct selection ofcompile-time and runtime configuration options, and proper codingpractices, it can give you exactly the combination of freedom andsecurity you need.

As there are many different ways of utilizing PHP, there are manyconfiguration options controlling its behaviour. A largeselection of options guarantees you can use PHP for a lot ofpurposes, but it also means there are combinations of theseoptions and server configurations that result in an insecuresetup.

The configuration flexibility of PHP is equally rivalled by thecode flexibility. PHP can be used to build complete serverapplications, with all the power of a shell user, or it can be usedfor simple server-side includes with little risk in a tightlycontrolled environment. How you build that environment, and howsecure it is, is largely up to the PHP developer.

This chapter starts with some general security advice, explainsthe different configuration option combinations and the situationsthey can be safely used, and describes different considerations incoding for different levels of security.

add a note add a note

User Contributed Notes

There are no user contributed notes for this page.
To Top