In an effort to get some thought going about ways to encourage security in PHP applications, Stas has posted an idea about a simplified php.ini setting - production=On.

His idea is that, with this setting on, the PHP installation would:

• disable display errors
• disable phpinfo()
• turn expose_php off
• make max_execution_time/memory_limit reasonable
• and possibly a few others that some developers forget to set correctly

In an effort to get some thought going about ways to encourage security in PHP applications, Stas has posted an idea about a simplified php.ini setting - production=On.

His idea is that, with this setting on, the PHP installation would:

• disable display errors
• disable phpinfo()
• turn expose_php off
• make max_execution_time/memory_limit reasonable
• and possibly a few others that some developers forget to set correctly

On the PHP Security Blog, there's three new posts that Stefan Esser has written up that demonstrate some of the more destructive uses of Javascript that he's found:

• JavaScript/HTML Portscanning and HTTP Auth
• Bruteforcing HTTP Auth in Firefox with JavaScript
• JavaScript Scanning and expose_php=On

While the first two are interesting, it's the last of these that most directly applies to PHP. He gives a simple "proof of concept" that checks to see if the embedded image is the correct "size" to be related to a webserver running PHP with the expose_php setting set to "on".

On the PHP Security Blog, there's three new posts that Stefan Esser has written up that demonstrate some of the more destructive uses of Javascript that he's found:

• JavaScript/HTML Portscanning and HTTP Auth
• Bruteforcing HTTP Auth in Firefox with JavaScript
• JavaScript Scanning and expose_php=On

While the first two are interesting, it's the last of these that most directly applies to PHP. He gives a simple "proof of concept" that checks to see if the embedded image is the correct "size" to be related to a webserver running PHP with the expose_php setting set to "on".