NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP Form Validation

Chris Shiflett shiflett at php.net
Mon Sep 5 11:20:50 EDT 2005


Peter Sawczynec wrote:
> I knew I'd looked through the "php.ini-recommended" before and I did not
> find it thorough, so for the purposes of this discussion I just reviewed
> it again and I still find:
>
> open_basedir = "" [is not set],
> allow_url_fopen = On,
> expose_php = On,
> safe_mode = off,
> track_errors = Off,
>
> All these settings should be reversed for the default.

While open_basedir is a good thing to set, there's no way a default 
config file that comes bundled with the distribution can specify a value 
that fits everyone's needs. This is something that needs to remain as is.

Disabling expose_php would seriously hurt the usage graph, so that's 
unlikely to happen. I'm not saying the PHP Group is more concerned with 
marketing than security, but there is very little to be gained by 
disabling this, so there's really no point. A little obscurity never 
hurts, but it's not worth much.

The safe_mode directive needs to go. I would hate to see that enabled by 
default. I'd rather see it not in the config file at all. This is a 
likely scenario for PHP 6.0. In exchange, hosts can utilize open_basedir 
and disable_functions, and perhaps the config file can have some 
commented lines with suggestions.

> Apache also has several little canoodles in the conf, e.g.:
> ServerSignature On.

Same as above. A little bit of obscurity has a little bit of value, but 
it's not worth "hiding" the fact that so many people use Apache and PHP.

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/



More information about the talk mailing list