userguide:vsite:vsitephp

PHP

BlueOnyx > Site Management > Services > PHP

PHP related security and resource settings for this virtual site. Allows you to individually adjust the PHP related security and resource settings on a per site basis.

Register Globals: For maximum security you must set register_globals to Off. Otherwise it is easily possible that unsecurely programmed PHP scripts can be used to hack your server.
Open Basedir (Server): These are the open_basedir settings as defined for the whole server under Server Management / Security / PHP. They are mandatory for every virtual site. In the field below you can specify additional directories that should be added to the open_basedir directive.
Open Basedir (Vsite): The open_basedir directive limits the file access of PHP scripts to certain directories. The Open Basedir (Server) field above shows you to which directories PHP scripts already have access to on this server. If the PHP scripts of this site need additional access to further directories, then you can specify these directories here. When the file is outside the specified directory-tree, PHP will refuse to open it.
Allow URL fopen: If enabled, allow_url_fopen allows PHPs file functions - such as file_get_contents() and the include and require statements - can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and dont do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities and hacks reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering. Off by default.
Allow URL include: If disabled, allow_url_include bars remote file access via the include and require statements, but leaves it available for other file functions like fopen() and file_get_contents. Please note: include and require are the most common attack points for code injection attempts, so this setting plugs that particular hole without affecting the remote file access capabilities of the standard file functions. By default, allow_url_include is disabled.
Upload Max Filesize: upload_max_filesize limits the maximum size of files that PHP will accept through uploads. Attackers may attempt to send grossly oversized files to exhaust your system resources; by setting a realistic value here you can mitigate some of the damage by those attacks. By default, PHP sets this value to 2MB.
Post Max Size: This protection allows you to limit the maximum size POST request that PHP will process. Attackers may attempt to send grossly oversized POST requests to exhaust your system resources; by setting a realistic value here you can mitigate some of the damage by those attacks.
Max execution time: Maximum amount of time each script may run.
Max input time: Maximum amount of time each script may spend parsing request data.
Memory limit: Defines how much memory a script may use. Settings this to a high value leaves the server vulnerable to attacks that attempt to exhaust resources and creates an environment where poor programming practices can propagate unchecked.