2004-01-26 13:22:25 +00:00
|
|
|
<?xml version="1.0" encoding="iso-8859-1"?>
|
2004-08-08 16:11:36 +00:00
|
|
|
<!-- $Revision: 1.4 $ -->
|
2004-01-26 13:22:25 +00:00
|
|
|
<!-- splitted from ./index.xml, last change in rev 1.66 -->
|
2004-08-08 16:11:36 +00:00
|
|
|
<chapter id="security.intro">
|
2004-02-18 16:05:29 +00:00
|
|
|
<title>Introduction</title>
|
2004-01-26 13:52:18 +00:00
|
|
|
<simpara>
|
|
|
|
|
PHP is a powerful language and the interpreter, whether included
|
|
|
|
|
in a web server as a module or executed as a separate
|
|
|
|
|
<acronym>CGI</acronym> binary, is able to access files, execute
|
|
|
|
|
commands and open network connections on the server. These
|
|
|
|
|
properties make anything run on a web server insecure by default.
|
|
|
|
|
PHP is designed specifically to be a more secure language for
|
|
|
|
|
writing CGI programs than Perl or C, and with correct selection of
|
|
|
|
|
compile-time and runtime configuration options, and proper coding
|
|
|
|
|
practices, it can give you exactly the combination of freedom and
|
|
|
|
|
security you need.
|
|
|
|
|
</simpara>
|
|
|
|
|
<simpara>
|
|
|
|
|
As there are many different ways of utilizing PHP, there are many
|
|
|
|
|
configuration options controlling its behaviour. A large
|
|
|
|
|
selection of options guarantees you can use PHP for a lot of
|
|
|
|
|
purposes, but it also means there are combinations of these
|
|
|
|
|
options and server configurations that result in an insecure
|
|
|
|
|
setup.
|
|
|
|
|
</simpara>
|
|
|
|
|
<simpara>
|
|
|
|
|
The configuration flexibility of PHP is equally rivalled by the
|
|
|
|
|
code flexibility. PHP can be used to build complete server
|
|
|
|
|
applications, with all the power of a shell user, or it can be used
|
|
|
|
|
for simple server-side includes with little risk in a tightly
|
|
|
|
|
controlled environment. How you build that environment, and how
|
|
|
|
|
secure it is, is largely up to the PHP developer.
|
|
|
|
|
</simpara>
|
|
|
|
|
<simpara>
|
|
|
|
|
This chapter starts with some general security advice, explains
|
|
|
|
|
the different configuration option combinations and the situations
|
|
|
|
|
they can be safely used, and describes different considerations in
|
|
|
|
|
coding for different levels of security.
|
|
|
|
|
</simpara>
|
2004-08-08 16:11:36 +00:00
|
|
|
</chapter>
|
2004-01-26 13:52:18 +00:00
|
|
|
|
|
|
|
|
<!-- Keep this comment at the end of the file
|
|
|
|
|
Local variables:
|
|
|
|
|
mode: sgml
|
|
|
|
|
sgml-omittag:t
|
|
|
|
|
sgml-shorttag:t
|
|
|
|
|
sgml-minimize-attributes:nil
|
|
|
|
|
sgml-always-quote-attributes:t
|
|
|
|
|
sgml-indent-step:1
|
|
|
|
|
sgml-indent-data:t
|
|
|
|
|
indent-tabs-mode:nil
|
|
|
|
|
sgml-parent-document:nil
|
|
|
|
|
sgml-default-dtd-file:"../../manual.ced"
|
|
|
|
|
sgml-exposed-tags:nil
|
|
|
|
|
sgml-local-catalogs:nil
|
|
|
|
|
sgml-local-ecat-files:nil
|
|
|
|
|
End:
|
|
|
|
|
vim600: syn=xml fen fdm=syntax fdl=2 si
|
|
|
|
|
vim: et tw=78 syn=sgml
|
|
|
|
|
vi: ts=1 sw=1
|
|
|
|
|
-->
|
