For the purpose of this tutorial, the PHP engine provides the development environment. There are many features of it that present significant security risks and should be disabled. Lately, they are disabled by default in the newer versions on PHP.
Securing your PHP must include:
- turn off register_globals: put register_globals = Off in your php.ini, or use ini_set(‘register_globals’, ‘Off’) in your code, or put php_flag register_globals 0 in your .htaccess
- turn off magic_quotes: put magic_quotes_gpc = Off, magic_quotes_runtime = Off, magic_quotes_sybase = Off in your php.ini, or do it the ini_set() or .htaccess way (see above).
- turn off allow_url_fopen and allow_url_include if you don’t need to read files via URLs (usually from other servers)
- set error_reporting level to 0, thus preventing error messages, potentially containing sensitive information, such as database keys, user passwords, etc., from being displayed in browsers; put error_reporting = 0 in your php.ini, or do it the ini_set() or .htaccess way.
Note that there are two alternative methods of altering the PHP configuration, should you have no access to the php.ini file: using your .htaccess file, or directly in your scripts, using ini_set() (remember, though, that using ini_set() only changes the value during and in the scope of the execution of that script).
See PHP Security Consortium’s PHP Security Guide for more on securing PHP.