[Solved]: PHP security.

[phill104]

Slightly off topic I know but here we go.

My host complained that I was using too many resources on my shared package so I have changed companies and am using a virtual server with a great company called bytemark. Before I fully make the switch (and manage to get my head around DNS and virtual hosts ) I want to make sure the basic PHP install is as secure as it can be.

Are there any specific PHP settings (still allowing coppermine to run) that it would be a good idea to turn on, off or adjust?

I've done a basic coppermine install in a test area ( http://coppermine.co.uk.testing.windsurf.vm.bytemark.co.uk/) and it works a treat. Having been hacked before and now having to rely on my own backups I really would like to get as secure as I can without restricting the gallery to the many users that use it.

[Nibbler]

Things that come to mind:

register_globals -> Off
allow_url_include -> Off
allow_url_fopen -> On if you use URI uploads, Off otherwise
display_errors -> Off
log_errors -> On

memory_limit and max_execution_time as low as possible without causing issues.
Any extensions you don't need shouldn't be loaded/compiled in.

File/directory permissions set as restrictive as possible for your server setup.

Keep PHP itself up to date - automatically if possibly.

[phill104]

Cheers Nibbler. PHP will update automatically. I'll work on the others now.