PHP: セキュリティ - Manual
PHP  
downloads | documentation | faq | getting help | mailing lists | | php.net sites | links | my php.net 
search for in the  
<リファレンスの適用範囲はじめに>
view the version of this page
Last updated: Tue, 21 Dec 2004


add a note add a note User Contributed Notes
セキュリティ
nighma at skynet dot be
01-Mar-2005 09:04
Another new good site about security ;)

tobozo at phpsecure dot info
10-Sep-2004 02:21
another site about php and security :



some parts of the content are available in english, french or russian... but all advisories are in english.
nick dot hristov at gmail dot com
02-Sep-2004 03:21
A correction to previous post by Dave Mink.

<Files ~ "\.inc$">
   Order allow,deny
   Deny from all
   Satisfy All
</Files>

Will not stop something like


Here is something more sophisticated for this task:

<Location ~ "/[^ ](?=\.inc(\?[^ ]*)?)/">
   Options None
   Order Allow, Deny
   Deny from All
   AllowOverride None
   Satisfy All
</Location>

Also, consider placing in your httpd.conf

<Location ~ "/[^ ](?=\.phps(\?[^ ]*)?)/">
   Options None
   Order Allow, Deny
   Deny from All
   AllowOverride None
   Satisfy All
</Location>
29-Aug-2004 04:21
Another good source of information on writing secure PHP code is
philip
05-Aug-2004 07:19
For tips on making your PHP code [more] secure, read this:
 *
ocrow at simplexity dot net
02-Jul-2003 12:16
If your PHP pages include() or require() files that live within the web server document root, for example library files in the same directory as the PHP pages, you must account for the possibility that attackers may call those library files directly. 

Any program level code in the library files (ie code not part of function definitions) will be directly executable by the caller outside of the scope of the intended calling sequence.  An attacker may be able to leverage this ability to cause unintended effects.

The most robust way to guard against this possibility is to prevent your webserver from calling the library scripts directly, either by moving them out of the document root, or by putting them in a folder configured to refuse web server access. With Apache for example, create a .htaccess file in the library script folder with these directives:

Order Allow,Deny
Deny from any
annonymous at domain dot com
27-Jun-2003 01:08
best bet is to build php as cgi, run under suexec, with chroot jailed users. Not the best, but fairly unobtrusive, provides several levels of checkpoints, and has only the detriment of being, well, kinda slow. 8)
ManifoldNick at columbus dot rr dot com
30-Apr-2003 05:30
Remember that security risks often don't involve months of prep work or backdoors or whatever else you saw on Swordfish ;) In fact one of the bigges newbie mistakes is not removing "<" from user input (especially when using message boards) so in theory a user could secerely mess up a page or even have your server run php scripts which would allow them to wreak havoc on your site.
26-Feb-2003 12:00
For real security you should consider providing chrooted jail's for your users.

<リファレンスの適用範囲はじめに>
 Last updated: Tue, 21 Dec 2004
show source | credits | sitemap | contact | advertising | mirror sites 
Copyright © 2001-2005 The PHP Group
All rights reserved.
This unofficial mirror is operated at: /
Last updated: Mon Mar 14 08:13:06 2005 Local time zone must be set--see zic manual page