PHP on IIS7 for Shared Hosting- AWESOME article!

check it out on IIS.NET - 

here are a couple of excerpts from the article that I strongly recommend:


PHP Security Recommendations

The following recommendations describe how to tighten security of PHP in shared hosting environment. To make the recommended changes locate and open php.ini file and edit it as described below:

  1. Disable remote URL's for file handling functions:
    • Set allow_url_fopen=Off
    • Set allow_url_include=Off
  2. Disable register_globals:
    • register_globals=Off
  3. Restrict where PHP can read and write on a file system, e.g.:
    • open_basedir="c:\inetpub\"
  4. Disable safe mode:
    • safe_mode=Off
    • safe_mode_gid=Off
  5. Limit script execution time:
    • max_execution_time=30
    • max_input_time=60
  6. Limit memory usage and file sizes:
    • memory_limit=16M
    • upload_max_filesize=2M
    • post_max_size=8M
    • max_input_nesting_levels=64
  7. Configure error messages and logging:
    • display_errors=Off
    • log_errors=On
    • error_log="C:\path\of\your\choice"
  8. Hide presence of PHP:
    • expose_php=Off

and how to ensure you can configure your own PHP.INI for each site:

Specifying php.ini location

When PHP process starts it determines the location of configuration php.ini file by using various settings. The PHP documentation provides detailed description of the PHP start up process. Note that one of the places where PHP process searches for php.ini location is the PHPRC environment variable. If PHP process finds a php.ini file in the path specified in this environment variable then it will use it, otherwise it will revert to default location of php.ini. This environment variable can be used to allow hosting customers to use their own versions of php.ini files.

For example if there are two websites: website1 and website2; located at the following file paths: C:\WebSites\website1 and C:\WebSites\website2 then the php-cgi.exe process pools in <fastCgi> section of applicationHost.config can be configured as below:

    <application fullPath="C:\PHP\php-cgi.exe" arguments="-d">
            <environmentVariable name="PHPRC" value="C:\WebSites\website1" />
    <application fullPath="C:\PHP\php-cgi.exe" arguments="-d">
            <environmentVariable name="PHPRC" value="C:\WebSites\website2" />

This way owner of website1 can place their own version of php.ini into the C:\WebSites\website1, while the owner of website2 can use their own version of php.ini located in C:\WebSites\website2. This configuration also ensures that if there is no php.ini found in location specified by PHPRC environment variable then PHP will fall back to using the default php.ini file located in the same folder where php-cgi.exe is located.

Check it out in more detail

- jorke

Comments (0)

Skip to main content