Best Security Practices for PHP & MySQL

PHP offers robust security inside out, but it is in the hands of developers to implement them correctly. In this article, we will look at some PHP security tips for Linux admins. The tips will help you secure your Web application and ensure proper functioning in the long run.

We can secure our web site from different types of common attacks, such as SQL injection, XSS, sea-surf attacks, eval(), File uploads, and so forth by taking care of the following directives in php.ini.

1. Disallow dangerous functions  

PHP comes with useful functions for developmental purposes, but it is also plagued with functions that can be used by hackers to exploit the Web app. Disabling the functions can improve the overall security and ensure that you are not affected by dangerous PHP functions.

disable_functions = phpinfo, system, mail, exec ,passthru, shell_exec, system, proc_open, popen, curl_exec, curl_multi_exec, parse_ini_file, show_source 

2. Maximum execution time of each script, in seconds 

Controlling resources is important for making our app secure. To ensure proper execution and security, we need to set  the limit for PHP script execution. Furthermore, you also may want to set a limit on the time spent on parsing request data. With execution time under control, other resources such as the memory usage by a script should also be configured accordingly.

max_execution_time = 30 

3. Maximum amount of time each script may spend parsing request data 

max_input_time = 60 

4. Maximum amount of memory a script may consume 

The PHP memory_limit is the maximum amount of server memory that each PHP script is allowed to consume.

memory_limit = 8M 

5. Maximum size of POST data that PHP will accept. 

The HTTP POST function uses the client’s browser to send data to the Web server.

For example, a user can upload a certificate and send it to the Web browser for processing purposes. Everything works fine until one day a hacker attempts to send a huge file size to clog the server resources. This can easily lead to crashes or slow responses from the server. To protect our server from this exploit, we need to set the POST size.

post_max_size = 8M 

6. Whether to allow HTTP file uploads.  

If the app doesn’t require uploading any files, disabling the functionality to upload files can lead to better security.  

file_uploads = Off 

7. Maximum allowed size for uploaded files. 

upload_max_filesize is the maximum size of an uploaded file. This is the limit for a single file

upload_max_filesize = 2M 

8. Do not expose PHP error messages to external users  

Another simple way of tightening the security of your Web applications is to not show errors to the visitors. This will ensure that the hacker in no way can compromise the security of the Web site. 

display_errors = Off 

9. Turn on safe mode  

safe_mode = On 

10. Only allow access to executables in isolated directory 

safe_mode_exec_dir = php-required-executables-path  

11. Limit external access to PHP environment  

safe_mode_allowed_env_vars = PHP_  

12. Restrict PHP information leakage

It is common for platforms to leak vital information. For example, PHP releases information such as versions and the fact that it is installed on the server. This is done through the expose_php directive. To prevent the leak, we need to set the directive to off.  

expose_php = Off 

13. Log all errors  

Developers can use the log_errors directive for debugging purposes. 

log_errors = On 


14. Do not register globals for input data  

register_globals = Off 

15. Minimize allowable PHP post size  

post_max_size = 1K 

16. Ensure PHP redirects appropriately  

cgi.force_redirect = 0 

17. Disallow uploading unless necessary 

If the app doesn’t require uploading any files, disabling the functionality to upload files can lead to better security.  

file_uploads = Off   

18. Enable SQL safe mode 

sql.safe_mode = On 

19. Avoid Opening remote files  

Remote code execution is one of the common security flaws in PHP security. By default, remote code execution is enabledon your system. The “allow_url_fopen” directive allows functions such as require, include, or URL-aware fopen wrappers to get direct access to the PHP files. The remote access is done by using HTTP or FTP protocol and can cause the systemto be defenseless against the code injection vulnerabilities.

To ensure that our system is secure from remote code execution, you can set the directive “Off”, 

allow_url_fopen = Off 


 After installing MySQL server, it is insecure in it’s default configuration, and securing it is one of the essential tasks in general database management:

1. Secure MySQL Installation

First step after installing mysql is to secure the database

This script improves the security of your MySQL server by asking you to:

  • set a password for the root account, if you didn’t set it during installation.
  • disable remote root user login by removing root accounts that are accessible from outside the local host.
  • remove anonymous-user accounts and test database which by default can be accessed by all users, even anonymous users.

2. Disable the use of LOAD DATA LOCAL INFILE command

The LOAD DATA LOCAL INFILE command allows users to read local files and even access other files on the operating system, which could be exploited by attackers using methods such as SQL injection. The command should therefore be disabled by inserting set-variable=local-infile=0 to the [mysqld] section of my.cnf.

3. Do not permit the use of symlinks to tables.

This capability can be disabled with the –skip-symbolic-links option. This is especially important if you run mysqld as root, because anyone that has write access to the server’s data directory then could delete any file in the system.

6. Set Appropriate Permission on MySQL Files.

Ensure that you have appropriate permissions set for all mysql server files and data directories. The /etc/my.conf file should only be writeable to root. This blocks other users from changing database server configurations.

chmod 644 /etc/my.cnf

Leave a Reply

Your email address will not be published. Required fields are marked *