The article "Ensuring website safety" is provided by Sophos Plc and SophosLabs.

December 2007

PHP is one of the most common server side scripting languages. It has a very vast database of functional code, simple syntax, adaptable code and, most importantly, it is interoperable with a variety of databases. MySQL is one of the most popular DBMS used in conjunction with PHP. The reason is that it's effective, has robust functionality, and is easy to configure and use.

The PHP language is often criticized for the lack of security, because over time it revealed many potential vulnerabilities. However, it is developing steadily. Most vulnerabilities can be offset by appropriate configuration and by raising the level of the code security.

Here are a few configuration tips (writing secure code is discussed below) dealing with variables in the “php.ini” file:

  • Set the register_globals variable to off.

  • Set the safe_mode to on.

  • Specify the base directory of the site in the Open_basedir variable.

  • Set the display_errors variable to off.

  • Set the log_errors variable to on.

  • Set the allow_url_fopen to off.

For more information on these settings and why they play an important role, see the following sources: [7, 8, 9].

When you install MySQL, it creates a “test” database is created and the default open “root” account with no password. This account is automatically granted full access to all other databases on the server. So you should do the following:

  • Immediately change the password for the “root” account.

  • Create a new MySQL account and grant it the minimum necessary rights.

  • Delete the “test” database and the corresponding users.