Talk In Code

PHP is a powerful tool, but if you create any piece of software there are one or two things that you should never rely on.

A good example is using PHP short tags. This is a short hand way of stating that this block are to be parsed as PHP. This is an example of a normal tag.

<?php echo 'Hello World'; >

Here is the same code using short tags.

<? echo 'Hello World'; >

Another alternative, if you just want to print the output of a variable, is to use the following.

<?='Hello World'; >

The short tags setting can be turned on or off in the php.ini file. If you create an application that relies on these short tags then you will find that on some systems the short tags setting is turned off, which means that your software will simply not work.

You can force PHP to set this setting to on by using the following rule in your .htaccess file on a Apache server.

php_flag short_open_tag on

Note that this probably works with other servers that use .htaccess but I haven’t been able to test it. Two other things that are useful to turn off are register globals and magic quotes.

php_flag magic_quotes_gpc off
php_flag register_globals off

The register_globals setting should be turned off on any server due to security reasons, but relying on magic quotes being turned on is equally as dangerous. As a rule you should always treat anything from the user as potentially dangerous, but turning this magic quotes off will allow you to be absolutely certain that your string is properly escaped. The problem comes when you escape a string and magic quotes is turned on. You tend to find your database input has multiple slashes.

PHP5 (when using certain functions) requires that you set your timezone, you can do this by using the following rule.

php_value date.timezone "UTC"

If you are testing your PHP code then you can use the following two rules to turn on error reporting and display errors.

php_value error_reporting "8191"
php_value display_errors "1"

To turn this off just change the display_errors setting to 0. You would want to do this on a production server!

Finally, one last little fix is to make sure that the server doesn’t allow users to simple surf the contents of your directories. The following .htaccess rule will prevent Apache from showing the contents of a directory.

# Security: Don't allow browsing of directories
Options -Indexes

Reading or writing a file using PHP is quite a common practice, but it can often fall cause programs to fall flat on their face if the proper user privileges are not in place. Although this is not a problem on Windows machines due to the lack of a proper security model, but on Linux machines you need to make sure your scripts can run with the correct permissions.

First you must determine what the name of the user and group is. On OS X the default is "www" for both user and group. If you are using Apache then the user and group information is kept in the http.conf file. Look for a couple of lines that look like this, this is the default settings for Apache 2.2.

User daemon
Group daemon

On this server my PHP scripts will run with the user and group of "daemon". You must use chmod to change the owner of the directories that scripts are to run in. For example, if your server runs from /user/local/apache2/htdocs/ then you should use the following code. You might have to be logged in as root in order to run this.

chown daemon:daemon /usr/local/apache2/htdocs/
chmod 770 /usr/local/apache2/htdocs/

You can use the -R flag on both chomod and chown to make all sub directories have the same permissions.

chown -R daemon:daemon /usr/local/apache2/htdocs/
chmod -R 770 /usr/local/apache2/htdocs/

Setting the security to 770 will be very secure as it will only allow the user daemon to have read/write access to these directories. Setting the chmod code to 775 will allow you to read the files. If you use the same username for Apache as you use to log into the server then you won’t have this trouble.