I'm just finishing a CMS that I want to release as open source. The program has some ini_set() directives to set a secure environment, like session.use_only_cookies, etc. The problem is that some hosts don't allow ini_set() and only allow configuration with the php.ini file. Is there a way to set up a secure PHP environment on a wide base of PHP configurations? How do other PHP programs face this problem (e.g. Wordpress, Drupal etc.).
Asked
Active
Viewed 157 times
1
wowpatrick
- 5,082
- 15
- 55
- 86
2 Answers
2
Generally speaking :
- In your software :
- try to not depend on too many system-wide settings
- have something that works with default settings (see the php.ini file(s) that are provided with a default PHP installation -- both from php.net, and from the major Linux distributions)
- Write some short and clear list of requirements
- Code some kind of installation script, that will :
- check automatically for those requirements,
- and explain how to set those that are not properly configured
Pascal MARTIN
- 395,085
- 80
- 655
- 663
-
Do you know by any chance a good resource/article/tutorial which explains how a good setup script should look like and what it should check? Would like to know some good practices, never wrote a setup script before. – wowpatrick Mar 17 '11 at 11:56
0
You could output a warning if you encounter a setting that you deem unsecure.
Many web apps do it that way, e.g. if the install script isn't deleted, or the administrator has a default password.
Pekka
- 442,112
- 142
- 972
- 1,088