Basic PHP Security Test

Many posts have been written about how to properly filter user input, but one of the least talked about subjects in the social media circle, from what I’ve seen, is the PHP configuration file a.k.a php.ini

A couple of years ago I found out about a really cool configuration scanner called PhpSecInfo. This tool is nothing more than a script that checks the settings in your ini file and recommends that you change a few things.

Installing this tool is easy, first head over to this page and download the zip folder.

Now extract the contents, upload the folder it contains to your server, and go to the folder in a browser. You should now see a screen similar to this one (with about 20 more tests than what I show here ).

PHPSecInfo Screen

PHPSecInfo Screen

As you can see from the screen each test performed has a color, red=warning 🙁 , yellow=notice 😉 and green=pass 🙂

If you wish to get all greens, or yellows at least, you need to change the current value in your php.ini file to the recommended value.

I got a red for “allow_url_fopen”, I know how to change the value of this to “1”, but if you don’t know how , simply click on “More Information”, this link will take you to a page where it will tell you what to add/change in your php.ini file

This page tells you what you can do to get a green

This page tells you what you can do to get a green

After making changes to your configuration file refresh the PHPSecInfo installation page to see your new security score. You might need to restart your server.

PHPSecInfo With Recommended Values

PHPSecInfo With Recommended Values