Best Security Practices for PHP & MySQL
PHP offers robust security inside out, but it is in the hands of developers to implement them correctly. In this article, we will look at some PHP security tips for Linux admins. The tips will help you secure your Web application and ensure proper functioning in the long run.
We can secure our web site from different types of common attacks, such as SQL injection, XSS, sea-surf attacks, eval(), File uploads, and so forth by taking care of the following directives in php.ini.
1. Disallow dangerous functions
PHP comes with useful functions for developmental purposes, but it is also plagued with functions that can be used by hackers to exploit the Web app. Disabling the functions can improve the overall security and ensure that you are not affected by dangerous PHP functions.
disable_functions = phpinfo, system, mail, exec ,passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source
2. Maximum execution time of each script, in seconds
Controlling resources is important for making our app secure. To ensure proper execution and security, we need to set the limit for PHP script execution. Furthermore, you also may want to set a limit on the time spent on parsing request data. With execution time under control, other resources such as the memory usage by a script should also be configured accordingly.
max_execution_time = 30
3. Maximum amount of time each script may spend parsing request data
max_input_time = 60
4. Maximum amount of memory a script may consume
The PHP memory_limit is the maximum amount of server memory that each PHP script is allowed to consume.
memory_limit = 8M
5. Maximum size of POST data that PHP will accept.
The HTTP POST function uses the client’s browser to send data to the Web server.
For example, a user can upload a certificate and send it to the Web browser for processing purposes. Everything works fine until one day a hacker attempts to send a huge file size to clog the server resources. This can easily lead to crashes or slow responses from the server. To protect our server from this exploit, we need to set the POST size.
post_max_size = 8M
6. Whether to allow HTTP file uploads.
If the app doesn’t require uploading any files, disabling the functionality to upload files can lead to better security.
file_uploads = Off
7. Maximum allowed size for uploaded files.
upload_max_filesize is the maximum size of an uploaded file. This is the limit for a single file
upload_max_filesize = 2M
8. Do not expose PHP error messages to external users
Another simple way of tightening the security of your Web applications is to not show errors to the visitors. This will ensure that the hacker in no way can compromise the security of the Web site.
display_errors = Off
9. Turn on safe mode
safe_mode = On
10. Only allow access to executables in isolated directory
safe_mode_exec_dir = php-required-executables-path
11. Limit external access to PHP environment
safe_mode_allowed_env_vars = PHP_
12. Restrict PHP information leakage
It is common for platforms to leak vital information. For example, PHP releases information such as versions and the fact that it is installed on the server. This is done through the expose_php directive. To prevent the leak, we need to set the directive to off.
expose_php = Off
13. Log all errors
Developers can use the log_errors directive for debugging purposes.
log_errors = On
error_log=/var/log/nginx/php_scripts_error.log
14. Do not register globals for input data
register_globals = Off
15. Minimize allowable PHP post size
post_max_size = 1K
16. Ensure PHP redirects appropriately
cgi.force_redirect = 0
17. Disallow uploading unless necessary
If the app doesn’t require uploading any files, disabling the functionality to upload files can lead to better security.
file_uploads = Off
18. Enable SQL safe mode
sql.safe_mode = On
19. Avoid Opening remote files
Remote code execution is one of the common security flaws in PHP security. By default, remote code execution is enabledon your system. The “allow_url_fopen” directive allows functions such as require, include, or URL-aware fopen wrappers to get direct access to the PHP files. The remote access is done by using HTTP or FTP protocol and can cause the systemto be defenseless against the code injection vulnerabilities.
To ensure that our system is secure from remote code execution, you can set the directive “Off”,
allow_url_fopen = Off
STEPS TO SECURE TO MYSQL
After installing MySQL server, it is insecure in it’s default configuration, and securing it is one of the essential tasks in general database management:
1. Secure MySQL Installation
First step after installing mysql is to secure the database
This script improves the security of your MySQL server by asking you to:
- set a password for the root account, if you didn’t set it during installation.
- disable remote root user login by removing root accounts that are accessible from outside the local host.
- remove anonymous-user accounts and test database which by default can be accessed by all users, even anonymous users.
mysql_secure_installation
2. Disable the use of LOAD DATA LOCAL INFILE command
The LOAD DATA LOCAL INFILE command allows users to read local files and even access other files on the operating system, which could be exploited by attackers using methods such as SQL injection. The command should therefore be disabled by inserting set-variable=local-infile=0 to the [mysqld] section of my.cnf.
3. Do not permit the use of symlinks to tables.
This capability can be disabled with the –skip-symbolic-links option. This is especially important if you run mysqld as root, because anyone that has write access to the server’s data directory then could delete any file in the system.
6. Set Appropriate Permission on MySQL Files.
Ensure that you have appropriate permissions set for all mysql server files and data directories. The /etc/my.conf file should only be writeable to root. This blocks other users from changing database server configurations.
chmod 644 /etc/my.cnf
Leave a Reply