info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-18 11:31:16 +02:00
Code Issues Projects Releases Wiki Activity

updating according to formatting requests

Browse Source
This commit is contained in:
Chris Cornutt
2012-07-20 06:40:44 -05:00
parent a5791e3b5c
commit a6d839480b
3 changed files with 27 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
_posts/07-05-01-Configuration-Files.md
View File

@@ -4,8 +4,12 @@ isChild: true
## Configuration Files ## Configuration Files
When creating configuration files for your applications, best practices recommend that one of the following methods be followed: When creating configuration files for your applications, best practices recommend that one of the following methods
be followed:
- It is recommended that you store your configuration information where it cannot be accessed directly and pulled in via the file system. - It is recommended that you store your configuration information where it cannot be accessed directly and pulled in
- If you must store your configuration files in the document root, name the files with a `.php` extension. This ensures that, even if the script is accessed directly, it will not be outputed as plain text. via the file system.
- Information in configuration files should be protected accordingly, either through encryption or group/user file system permissions - If you must store your configuration files in the document root, name the files with a `.php` extension. This
ensures that, even if the script is accessed directly, it will not be outputed as plain text.
- Information in configuration files should be protected accordingly, either through encryption or group/user file
system permissions

11
_posts/07-06-01-Register-Globals.md
View File

@@ -4,8 +4,15 @@ isChild: true
## Register Globals ## Register Globals
When enabled, the `register_globals` configuration setting that makes several types of variables (including ones from `$_POST`, `$_GET` and `$_REQUEST`) globals, available in the global scope of your application. This can easily lead to security issues as your application cannot effectively tell where the data is coming from. <strong>NOTE:</strong> As of the introduction of PHP 5.4, the `register_globals` setting has been removed and can no
longer be used.
If you are using a version of PHP that's prior to 4.2.0, you may still be at risk of this setting causing problems. As of PHP 4.2.0, the `register_globals` setting has been defaulted to "off" and, even more effective, the setting has been completely removed in PHP 5.4.0. To ensure the security of your application, ensure that this setting is always set to "off". When enabled, the `register_globals` configuration setting that makes several types of variables (including ones from
`$_POST`, `$_GET` and `$_REQUEST`) globals, available in the global scope of your application. This can easily lead to
security issues as your application cannot effectively tell where the data is coming from.
If you are using a version of PHP that's prior to 4.2.0, please be aware that you may still be at risk of this setting
causing problems. As of PHP 4.2.0, the `register_globals` setting has been defaulted to "off". To ensure the security
of your application, ensure that this setting is <strong>always</strong> set to "off" if available.
* [Register_globals in the PHP manual](http://www.php.net/manual/en/security.globals.php) * [Register_globals in the PHP manual](http://www.php.net/manual/en/security.globals.php)

12
_posts/07-07-01-Error-Reporting.md
View File

@@ -4,7 +4,10 @@ isChild: true
## Error Reporting ## Error Reporting
Error logging can be useful in finding the problem spots in your application, but it can also expose infromation about the structure of your application to the outside world. To effectively protect your application from issues that could be caused by the output of these messages, you need to configure your server differently in development versus production (live). Error logging can be useful in finding the problem spots in your application, but it can also expose infromation about
the structure of your application to the outside world. To effectively protect your application from issues that could
be caused by the output of these messages, you need to configure your server differently in development versus
production (live).
### Development ### Development
@@ -22,4 +25,9 @@ To hide the errors on your <strong>production</strong> environment, configure yo
- error_reporting: E_ALL - error_reporting: E_ALL
- log_errors: On - log_errors: On
With these settings in production, errors will still be logged to the error logs for the web server, but will not be shown to the user. With these settings in production, errors will still be logged to the error logs for the web server, but will not be
shown to the user. For more information on these settings, see the PHP manual:
* [Error_reporting](http://www.php.net/manual/en/errorfunc.configuration.php#ini.error-reporting)
* [Display_errors](http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors)
* [Log_errors](http://www.php.net/manual/en/errorfunc.configuration.php#ini.log-errors)