PHP Security

I have bult a php site, and going live soon some questions first of all from what i read i need to have a .htaccess file in which it has turn of register_global and disable errors do i need to put anything further?

I believe that is a php.ini file not .htaccess but doing that in the php.ini will work fine.

I also have a admin section which is password protected from my hosting company, is that safe?

Well I would recommend that instead of using a .htaccess file to password protect the files, instead use actual php code to protect the data and of course any sensitive data would be in a database where only php can access it when programmed securely.

after reading i am getting loads of different information can someone please help me with what i need to follow (tutorial)

Perhaps a google search will answer that.

If you have any classes, functions, ect. you need to move them behind the document root (same folder as public_html on most hosts). Then you just included them.

You need to add a php.ini file and protect it with .htaccess. This means you put your php configurations in the php.ini and disable people from viewing in their browser via .htaccess.

In your .htaccess file:

<Files .htaccess>
order allow,deny
deny from all
</Files>
<Files php.ini>
order allow,deny
deny from all
</Files>

Also disable the directory listing so people cannot see what you have on the server.

Options -Indexes

Here is a good php.ini example:

output_buffering = Off
safe_mode = Off
error_reporting = E_ALL & ~E_NOTICE
display_errors = Off
log_errors = On
ignore_repeated_errors = On
html_errors = Off
error_log = /home/username/logs/php_error_log
default_charset = "utf-8"
file_uploads = On
upload_max_filesize = 100MB
post_max_size = 150MB
allow_url_fopen = On
register_globals = Off
magic_quotes_gpc = Off
session.name = SESSID
disable_functions = exec,shell_exec,passthrough,eval,phpinfo

php.ini usually only works on a per directory basis so if you have multiple folders that need the same configuration, you need copy the same php.ini into each directory. (Spent hours finding this one out)

If you do not have uploads on the site, make sure you turn file uploads to 'off'. Also, if you don't need to access remote urls then turn off allow_url_fopen.

Make sure you leave the error logging part of the ini file. This will make it so all errors are logged to a central location and not in the directory of the file which had the error. The reason for this is so hackers cannot see the errors of the site, which might help them hack it.

If you use sessions, make sure you change the location of where they are stored. If another account is compromised on the server, a hacker could get into the tmp directory where your sessions are and steal info/hijack a session.

Here is a link on changing it: http://us3.php.net/manual/en/function.session-save-path.php
You can also do it through php.ini.

Make sure the directory where you are storing the sessions is not accessible to the public.

I wouldn't use http authentication with a .htpasswd file. At least use a database to store the login info. A login system with php (like cwarn23 said) would be best in my opinion. I posted a good example at: http://www.daniweb.com/forums/thread212083.html

and disable people from viewing in their browser via .htaccess.

error_log = /home/username/logs/php_error_log

I understand it will save it in logs folder, but what does file extention does it need to be?
What i dont understand is, cant i just disable it rather than saving it? I mean lets say my website is done and i will never update it (which isnt the case lol) can i not just disable it, can you please tell me why i need it and if so can i not save error to mysql database?

Thank you for your information, it has been printed and sace :), I think its now time to learn PHP correctly rather than doing shortcuts.

It doesn't need one. You can make one up if you want to.

Error logs can tell you a lot. Errors shouldn't be shown to your users, so I something goes wrong you need to be able to find the error somewhere. Always have the error log on.

You can also use

ini_set("register_globals", "off");

rather than use .htaccess or if you can't amend the php.ini file

change your php.ini file

Hello,

I would like to ask, if i will be able to save all errors to mysql rather than a log file.

also is it possible for me to be able to save any errors which end users make for example, a user enters user name and enters wrong password, can i save that error?

Hello,

I would like to ask, if i will be able to save all errors to mysql rather than a log file.

also is it possible for me to be able to save any errors which end users make for example, a user enters user name and enters wrong password, can i save that error?

The easiest way to make it save into a mysql database is simply by setting up a cron job to automatically transfer the data from the error log file to the database. And as for the error of wrong passwords, simply append to the log file which the cron task will then take care of. Hope that theory helps.