PHP security using php5.ini

marcleo
marcleo used Ask the Experts™
on
Hi, I recently downloaded phpsecinfo (from http://phpsec.org/projects/phpsecinfo/) to obtain security information about my server. I have one warning concerning force_redirect (http://www.onlineboosterclub.com/phpsecinfo/phpsecinfo/index.php).

I am using a php5.ini file to make changes. I have set the following configurations and none work:

force_redirect = on
force_redirect = 1
cgi.force_redirect = on
cgi.force_redirect = 1

Please help me determine the correct input for this line. Also, should I be concerned with any of the yellow notices that appear? I do require file upload capability.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011
Top Expert 2016

Commented:
Is php5.ini the right file name?  Usually this is php.ini
Most Valuable Expert 2011
Top Expert 2016

Commented:
Looking at this page,...
http://www.phpbuilder.com/manual/security.cgi-bin.force-redirect.php

I wonder if you are running PHP through a cgi setup?  If not, this version of force-redirect would seem inapplicable.
Most Valuable Expert 2011
Top Expert 2016

Commented:
Also, this page has some useful information.  Looks like the option is going away with PHP 5.3+
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Most Valuable Expert 2011
Top Expert 2016

Commented:
Session save path might be worth looking at, if you're on a shared server and do not trust your neighbors.  I would not be able to run my applications without allowing URL opens, etc.  This may be a "security" issue, but it only manifests if your PHP code is not written correctly.  If you follow the common mantra of Filter Input Escape Output you will almost certainly have no trouble at all.

Best regards, ~Ray

Author

Commented:
php5.ini has worked for all of the other lines. This page (http://community.godaddy.com/help/article/1085) says to use php5.ini when using PHP 5.

I am running PHP Version 5.2.8.

Thanks for your help.
Most Valuable Expert 2011
Top Expert 2016
Commented:
GoDaddy, eh.  So you do not have control over .htaccess.  IIRC that is where you put your php.ini definition.  I guess they have defined it for you as php5.ini.

In case you find you're really concerned about security, you may want better tech support.  When that time comes, you may want to move your site to a different host.  I use and recommed ChiHost, also LiquidWeb.

Best, ~Ray

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial