How to set up a secure PHP environment on a wide base of PHP configurations_问答_开发者

How to set up a secure PHP environment on a wide base of PHP configurations

开发者 https://www.devze.com 2023-02-17 04:52 出处：网络

I\'m just finishing a CMS that I want to release as open source. The program has some ini_set() directives to set a secure environment, like session.use_only_cookies, etc. The problem is that some hos

I'm just finishing a CMS that I want to release as open source. The program has some ini_set() directives to set a secure environment, like session.use_only_cookies, etc. The problem is that some hosts don't allow ini_set() and only allow configur开发者_运维知识库ation with the php.ini file. Is there a way to set up a secure PHP environment on a wide base of PHP configurations? How do other PHP programs face this problem (e.g. Wordpress, Drupal etc.).

Generally speaking :

In your software :
- try to not depend on too many system-wide settings
- have something that works with default settings (see the php.ini file(s) that are provided with a default PHP installation -- both from php.net, and from the major Linux distributions)
Write some short and clear list of requirements
Code some kind of installation script, that will :
- check automatically for those requirements,
- and explain how to set those that are not properly configured

You could output a warning if you encounter a setting that you deem unsecure.

Many web apps do it that way, e.g. if the install script isn't deleted, or the administrator has a default password.