PHP.INI Blog and New Version of PHP

[zorgat]

Hi All,

I read the PHP.INI and Security Issues Blog on this website and was wondering if the newest version of PHP 5.4.4 has addressed some of the issues. I'm trying to use php to secure web pages on my photography site.

Do I still have to apply the same set of directives to the php.ini file?

TIA

Zorgat

[SteveW]

Yes, I still recommend the same set of php.ini directives as best practices. I don't have the just-released PHP version, but it looks to me like all the current settings recommendations are still applicable.

They mostly are not related to "bugs" in PHP, anyway, but to features that are occasionally useful, or were once considered useful but no longer are (register_globals), that it is best to disable if you don't need them. A website PHP installation needs to be more locked-down these days than used to be necessary in the "olden days", the early days of PHP.

The recommendations about how to write PHP code to prevent SQL injection and remote/local file inclusion are also still applicable. It will always be important to check incoming data carefully and use it only if it is valid. Invalid/malicious data received from the user must always be rejected or ignored.