When we talk about PHP security, most people think about sanitizing input or preventing SQL injection — but many vulnerabilities actually come from a misconfigured PHP environment.
If your PHP installation is left at its defaults, you might be exposing more than you think. Here are some key settings to review:
- Disable display_errors in production Error messages can reveal sensitive information about your file paths, server setup, and even database structure. Always set:
display_errors = Off
log_errors = On
- Turn off dangerous functions you don’t need Functions like exec, system, shell_exec are powerful but dangerous if abused. Disable them in your php.ini with:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen
- Use open_basedir restrictions Limit PHP’s file access to only the directories your application actually needs:
open_basedir = /var/www/html
- Keep PHP updated Old versions are often the easiest attack surface. Even if your code is secure, an outdated PHP version can be an open door.
If you want a practical, modern guide to PHP in 2025 — including configuration tips and secure coding practices — I recently published one here:
Link
Top comments (2)
Three bullet points (not even properly numbered) and then a "click me" link ;-)
... it's a visive bug... ;-)