[wendy k. walker]

Hi Everyone,

I'm busily trying to get PHP setup on my PC using Windows XP Home Edition with SP2 as my operating system and I'm wanting to get it setup as secure as I can.

I'm hoping that someone here might be able to answer the following:

Question: What should "safe_mode_allowed_env_vars = PHP_" be set to?
Question: What functions of PHP should be listed after the "disable_functions =" and "disable_class ="
lines for security reasons?
Question: What [if anything] should I put after "user_dir =" ?
Question: What should I do with the following two lines;
; Define the anonymous ftp password (your email address)
; from="[email protected]"


I'm not too sure about the last question because I understand what "Define the anonymous ftp password" actually means but I think it might mean to uncomment the 'from=' line and put in a valid email address. Is that correct?

Thanks for any help.

Wendy

Edited by wendy k. walker, 22 February 2007 - 02:33 PM.

[Advertisements]

Hi Wendy,

What should "safe_mode_allowed_env_vars = PHP_" be set to?

Unless you are running in safe mode, which you should not be, this is fine the way it is. In safe mode, users can only modify enviroment variables with the prefix PHP_.

What functions of PHP should be listed after the "disable_functions =" and "disable_class ="
lines for security reasons?

Unless you know the names of the functions and classes, I could give you some Linux examples, you can leave these blank for now.

What [if anything] should I put after "user_dir =" ?

"The directory under which PHP opens the script using /~username used only if nonempty." Blank is fine for now.

And you can leave the ftp lines commented out. Ftp settings are best left to the ftp server.

More on PHP and Safe Mode.

Securing the web server, Apache, should be done in Apache.

Edited by -=blaster=-, 23 February 2007 - 02:56 AM.

[-=blaster=-]

Hi Wendy,

What should "safe_mode_allowed_env_vars = PHP_" be set to?

Unless you are running in safe mode, which you should not be, this is fine the way it is. In safe mode, users can only modify enviroment variables with the prefix PHP_.

What functions of PHP should be listed after the "disable_functions =" and "disable_class ="
lines for security reasons?

Unless you know the names of the functions and classes, I could give you some Linux examples, you can leave these blank for now.

What [if anything] should I put after "user_dir =" ?

"The directory under which PHP opens the script using /~username used only if nonempty." Blank is fine for now.

And you can leave the ftp lines commented out. Ftp settings are best left to the ftp server.

More on PHP and Safe Mode.

Securing the web server, Apache, should be done in Apache.

Edited by -=blaster=-, 23 February 2007 - 02:56 AM.

[wendy k. walker]

Hi -=blaster=-,

Thanks for your reply. Safe mode was set to --> safe_mode = Off during installation as was --> safe_mode_gid = Off and I've left those as they were.

As for the "disable_functions =" and "disable_class =" seeing as I have no idea what that is in reference I have left them empty rather than take a chance of messing something up.

I'm using the "php.ini-recomended" file for my "php.ini" file and I'm trying to heed any\all warnings or suggestions that I come across as I look through it but a lot of that stuff is confusing to me because I don't understand what it means.

Shoot, I'm still trying to develop 'My Geekness' here and I'm struggling to understand the terminology that most of the manuals kind of take for granted that everyone already knows.

I mean like the "disable_functions =" statement, I don't really know what is meant by 'function' but by reading through all of that stuff I'm figuring that that means any action that the program might preform.

Anyway I opted to leave "disable_functions =" , "disable_class =" and "user_dir =" blank until I knew for sure what to put in them.

--> Securing the web server, Apache, should be done in Apache. <-- This is an example of my lack of Geekness.

Every time I try to get to some of the juicy stuff in Apache like say --> C:\Apache\Apache2\manual\bind.html <-- or faq

I get something like this;

--> URI: bind.html.en Content-Language: en Content-type: text/html; charset=ISO-8859-1 URI: bind.html.es Content-Language: es Content-type: text/html; charset=ISO-8859-1 URI: bind.html.fr Content-Language: fr Content-type: text/html; charset=ISO-8859-1 URI: bind.html.ja.euc-jp Content-Language: ja Content-type: text/html; charset=EUC-JP URI: bind.html.ko.euc-kr Content-Language: ko Content-type: text/html; charset=EUC-KR <--

If I open it in wordpad it's easier to read BUTT I still have no idea what its saying. So where should I be looking in Apache to get my security settings set?

Sorry to be such a bother, and thanks for your help Boo.

Wendy