Frequent hacker attacks prove that web security remains the most important issue for anyone doing business on the Internet. Servers are most often the targets of these attacks because of the information they store. That is why it is necessary to ensure reliable server protection.
Securing PHP on Apache
Start the "phpinfo ()" protocol and check the line with the "open_basedir" command. With this command you can define the base directory for all users. After setting this value, they will no longer be able to open files outside this root folder or its subdirectories such as "C: / Windows".
If you have other structural directories, define them as the base directory with the command "www_root". However, one user will also be able to read and modify another user's files. This must be prevented.
Unfortunately, there are no options in the php.ini file to prevent one user from accessing another's data.
But there is one interesting way if PHP is running on Apache. In phpinfo () you will find two columns: Primary Value and Local Value. The first is the value in "php.ini". The second is a value that is determined while the server is running.
If the main value is small in numerical terms, then it can be changed in the script using the command "ini_set ()". This does not apply to "open_basedir" because this value is security critical and can only be changed by an administrator.
In Apache, the configuration file "httpd.conf" can be specified in the manual under the local value "open_basedir".
Other PHP settings
By setting "disable_functions" in the "php.ini" file, you must disable functions that are potentially dangerous.
Think carefully about every action you take. Disabling the function means that some scripts will stop working.
Some features are really dangerous and are not usually required for scripting. Others may be needed for specific purposes. Therefore, it is not easy to disable all functions that may be dangerous, but also carefully weigh your decisions.
Do not believe that the "safe_mode = On" function alone will suffice. It may disable some useful features and may not solve the security problem described above. Safe mode is deprecated in PHP 5.3.0 and is removed in PHP 6.0.0.
There are several mistakes a web developer can make and make a website insecure.
For example, if you are building your blog and allowing users to upload images, this can be a serious hazard when the code is written by a beginner. There are several mistakes that a programmer can make on the login page, etc. One of the most common is the lack of a ban on downloading malicious algorithms.
The important point is that one insecure site on public hosting is a threat to the entire server. Also installing Open Source projects like PHP-Nuke can be risky. Several vulnerabilities in similar projects have already been discovered.