sfchun
11-25-2008, 08:19 AM
Hello ,
i have a future project to create a web site , so i'm getting as much information as possible about security !
And now i cannot find the best answer how to work with PHP with the best security.
Until now i was thinking the most simple way is to do like everyone installing PHP with apache/tomcat using mod_php ...
But i found out at a hosting page (http://hkhosting.com/technical.shtml) the following message :
apache's mod_php : Anything run by mod_perl/mod_php runs under the web server's username, and environment variables and functions remain active in the web server even after your scripts have exited. This can open the possibility of trojans or privacy leaks, and is unacceptable for a multi-user environment. You must use the external perl/php interpreter as usual ... You should use the external shell instead, and run your php as CGI. (We do support PERL/PHP using the external shell interpreter)
And here is what i see on php.net (http://www.php.net/manual/en/install.unix.commandline.php)
Warning : A server deployed in CGI mode is open to several possible vulnerabilities. Please read our CGI security section to learn how to defend yourself from such attacks.
So i don't know what to think/use =P
Also , i've heard about Fast CGI but don't know realy it's advantage...
If there is any PHP expert around here , i'd like to have an openminded opinion with (if possible) simple explainations :p
PS : I'm thinking to use tomcat rather than apache (i read it's faster and more secure (no overflow due to it's java code rather than C++))
i have a future project to create a web site , so i'm getting as much information as possible about security !
And now i cannot find the best answer how to work with PHP with the best security.
Until now i was thinking the most simple way is to do like everyone installing PHP with apache/tomcat using mod_php ...
But i found out at a hosting page (http://hkhosting.com/technical.shtml) the following message :
apache's mod_php : Anything run by mod_perl/mod_php runs under the web server's username, and environment variables and functions remain active in the web server even after your scripts have exited. This can open the possibility of trojans or privacy leaks, and is unacceptable for a multi-user environment. You must use the external perl/php interpreter as usual ... You should use the external shell instead, and run your php as CGI. (We do support PERL/PHP using the external shell interpreter)
And here is what i see on php.net (http://www.php.net/manual/en/install.unix.commandline.php)
Warning : A server deployed in CGI mode is open to several possible vulnerabilities. Please read our CGI security section to learn how to defend yourself from such attacks.
So i don't know what to think/use =P
Also , i've heard about Fast CGI but don't know realy it's advantage...
If there is any PHP expert around here , i'd like to have an openminded opinion with (if possible) simple explainations :p
PS : I'm thinking to use tomcat rather than apache (i read it's faster and more secure (no overflow due to it's java code rather than C++))