30 Jan
2013
30 Jan
'13
6:49 p.m.
On Wed, Jan 30, 2013 at 05:52:38PM +0000, Andy Smith wrote:
Up till now this has been my strategy, and I'm still considering
sticking with it.
Is there any
good info out there on securing php? I'd quite like to not
get hacked, which seems to be a common problem with PHP web apps.
If "don't run PHP" doesn't work for you then my best advice is: - Keep it up to date
I'm using the debian packages, and it's all set to auto-update.
- Run as few plugins, modules etc as possible and keep
*those* up to date
- Expect to be compromised, so try to secure your PHP execution
environment from the rest of your server.
e.g. do assume that at some point an attacker will get to execute
commands as the user that is running your PHP app so try to reduce
what the app can do.
This seems depressing but possibly sensible. I did find some references
to things like ensuring the php user can't send mail, but annoyingly I
actually want this app to send mail!
The PHP hate is making me think it may all have been a bad idea.
Michael