PHP is a powerful tool, but if you create any piece of software there are one or two things that you should never rely on.
A good example is using PHP short tags. This is a short hand way of stating that this block are to be parsed as PHP. This is an example of a normal tag.
<?php echo 'Hello World'; >
Here is the same code using short tags.
<? echo 'Hello World'; >
Another alternative, if you just want to print the output of a variable, is to use the following.
<?='Hello World'; >
The short tags setting can be turned on or off in the php.ini file. If you create an application that relies on these short tags then you will find that on some systems the short tags setting is turned off, which means that your software will simply not work.
You can force PHP to set this setting to on by using the following rule in your .htaccess file on an Apache server.
php_flag short_open_tag on
Note that this probably works with other servers that use .htaccess but I haven't been able to test it. Two other things that are useful to turn off are register globals and magic quotes.
- php_flag magic_quotes_gpc off
- php_flag register_globals off
The register_globals setting should be turned off on any server due to security reasons, but relying on magic quotes being turned on is equally as dangerous. As a rule you should always treat anything from the user as potentially dangerous, but turning this magic quotes off will allow you to be absolutely certain that your string is properly escaped. The problem comes when you escape a string and magic quotes is turned on. You tend to find your database input has multiple slashes.
PHP5 (when using certain functions) requires that you set your timezone, you can do this by using the following rule.
php_value date.timezone "UTC"
If you are testing your PHP code then you can use the following two rules to turn on error reporting and display errors.
- php_value error_reporting "8191"
- php_value display_errors "1"
To turn this off just change the display_errors setting to 0. You would want to do this on a production server!
Finally, one last little fix is to make sure that the server doesn't allow users to simple surf the contents of your directories. The following .htaccess rule will prevent Apache from showing the contents of a directory.
- # Security: Don't allow browsing of directories
- Options -Indexes
This is almost always turned off, but it is better to be safe and include it.