User Tools

Site Tools


Securing PHP

Here is my configuration / notes about securing a php installation.

php_openbasedir must be configured per site

In the apache configuration of the virtual host, open_basedir must be configured and must point to the directory of the web application or deeper, to ban php to open other files that aren't in the installation.


    <Directory "/mywebsite">
        php_admin_value open_basedir "/mywebsite:/dev/urandom"

include_path must be specified also and limited to the web directory or deeper

include_path is another funny thing. It specifies what php files can be read by the include command: it's better to specify the more constrained directory possible: if the application has an “include” directory, specify this directory only, to avoid an attacker to read configuration files or other information.

This configuration must be set per virtual host, and it's better to set a non-existent file in the main php.ini file.


  php_admin_value include_path "/mywebsite/include/"

upload_tmp_dir must be set OUTSIDE YOUR WEBSITE

This is a frequent source of problems. And I misunderstood that many times, until somebody kindly let me know about this, by injecting c99.php in my website. This directive configures the directory where upload files must be placed when loaded: it's a very bad idea to have them inside your website, because it allows an attacker to upload any php file and execute it afterwards.


php_admin_value upload_tmp_dir "/tmp"

engine must be unset if the site doesn't need php

Configure engine on only if you need php in the virtual host:


php_admin_value engine On
linux/securingphp.txt · Last modified: 2022/12/02 22:02 by