[nycphp-talk] PHP Form Validation
Chris Shiflett
shiflett at php.net
Mon Sep 5 11:20:50 EDT 2005
Peter Sawczynec wrote:
> I knew I'd looked through the "php.ini-recommended" before and I did not
> find it thorough, so for the purposes of this discussion I just reviewed
> it again and I still find:
>
> open_basedir = "" [is not set],
> allow_url_fopen = On,
> expose_php = On,
> safe_mode = off,
> track_errors = Off,
>
> All these settings should be reversed for the default.
While open_basedir is a good thing to set, there's no way a default
config file that comes bundled with the distribution can specify a value
that fits everyone's needs. This is something that needs to remain as is.
Disabling expose_php would seriously hurt the usage graph, so that's
unlikely to happen. I'm not saying the PHP Group is more concerned with
marketing than security, but there is very little to be gained by
disabling this, so there's really no point. A little obscurity never
hurts, but it's not worth much.
The safe_mode directive needs to go. I would hate to see that enabled by
default. I'd rather see it not in the config file at all. This is a
likely scenario for PHP 6.0. In exchange, hosts can utilize open_basedir
and disable_functions, and perhaps the config file can have some
commented lines with suggestions.
> Apache also has several little canoodles in the conf, e.g.:
> ServerSignature On.
Same as above. A little bit of obscurity has a little bit of value, but
it's not worth "hiding" the fact that so many people use Apache and PHP.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
More information about the talk
mailing list