/Main_Page

::You must have ninja focus to complete your mission::NinjaFocus::

PHP

Views:


See also: Category:PHP

Contents

Mildly Useful PHP Notes

Op Code Caching and Optimisation

I prefer eAccelerator. It's easy enought to install, works really well, and doesn't do naughty things like others.

PHP is a very modern scripting language, the script is compiled in to op-code before being executed by a virtual machine. This is much like python and java. The difference is that PHP compiles the script each and every time it is run. We can't be having that now can we?

eAccelerator performs performance optimizations on your code and keeps a cache of compiled scripts. It automatically recompiles your scripts if you make any chnages to them.

# cd /usr/local/src
# http://bart.eaccelerator.net/source/0.9.5.3/eaccelerator-0.9.5.3.tar.bz2
# tar jxvf eaccelerator-0.9.5.3.tar.bz2
# cd eaccelerator-0.9.5.3
# phpize
# ./configure --enable-eaccelerator=shared
# make
# make install

Once the software is installed you need to create somewhere for eAccelerator to keep it's cache of compiled php scripts and for logging. These need write permissions for your web server user.

# mkdir /var/lib/eaccelerator
# touch /var/log/eaccelerator
# chown apache /var/lib/eaccelerator/ /var/log/eaccelerator

Next, you just need a little configuration. I like to play it safe and leave eAccelerator disabled by default and enable it on a per-vhost basis.

Create a file in /etc/php.d such as /etc/php.d/eaccelerator.ini or edit your main php.ini file:

extension=eaccelerator.so
eaccelerator.cache_dir = "/var/lib/eaccelerator"
eaccelerator.enable = 0
eaccelerator.optimizer = 0
eaccelerator.debug = 0
eaccelerator.log_file = "/var/log/eaccelerator"
eaccelerator.check_mtime = "1"
eaccelerator.filter = ""

Then in your apache vhost configuration files you can add the following to turn on eAccelerator:

php_admin_flag eaccelerator.enable on
php_admin_flag eaccelerator.optimizer on

Finally you must restart apache

# apachectl -t && apachectl graceful

Image Manipulation with MagickWand and ImageMagick

ImageMagick is a really great library for manipulating imgaes and graphics. Think Photoshop. It comes with excellent command line programs such as convert can and be linked in with other programs.

MagickWand is a PHP extension which wraps around ImageMagick. You can use the ImageMagick command line utilities in PHP by making a sys or exec call but as I rule I don't like enabling those functions for a web server.

Sadly MagickWand is now un-maintained. It's a shame because it's very good and has excellent documentation. It looks like Imagick is now the one to use, it has an Object Orientated implementation and looks like it might even become bundled with PHP.

If like me you still have some old sites that need MagickWand, you'll have difficulty getting hold of the right versions of the source code. I've found the best combination is MagickWand 1.0.5 and ImageMagick 6.3.5-10

Securing PHP Vhosts with Suhosin

PHP earned a bad reputation for security, partly because of the low barrier of entry to the language meaning that people with little idea what they were doing started programming web sites and partly because the language has some really insecure features.

These days, with PHP 5, the default settings for the language are pretty good. There're not perfect however and for some sites they need to be tightened up even more. If you are just running one PHP site on a server then it can be easy to make these changes, it get's a little more tricky with multiple PHP sites on the same web server. You can use PHP CGI to offer different settings to different web sites, but PHP CGI carries with it it's own issues. It's just better to use mod_php5 with apache.

You can use your apache configuration to apply different settings to PHP by each Virtual Host or directory. The problem is that this doesn't work for all PHP settings. Some of the most important PHP settings can only be set once, in the main php.ini file.

Enter Suhosin, (aka Hardened PHP). You can installed Suhosin as a patch to PHP if you compile PHP from source, or you can install it as a PHP extension. The patch offers additional protection to the Zend Engine, the core of PHP. For my purposes I've only ever felt the need to use the extension.

The Suhosin extension offers many features to improve PHP's security and to give you more control over your PHP settings. Suhosin will improve session protection, white list and blacklist functions and classes and allow you to limit various things like the number of post variables that can be sent to your web application.

I mainly use Suhosin for session protection and to be able to limit which PHP functions can or cannot be used in any particular virtual host or directory.

The Suhosin extension needs to be compiled from source:

# cd /usr/local/src
# wget http://download.suhosin.org/suhosin-0.9.27.tgz
# tar zxvf suhosin-0.9.27.tgz
# cd suhosin-0.9.27
# phpize
# ./configure
# make
# make install

Next you need to make an ini file which will load the extension and apply some default settings. I like to leave the session protection on and to disable a lot of risky functions by default. These can then be changed on a per-vhost basis in the apache configuration.

/etc/php.d/suhosin.ini:

extension=suhosin.so
suhosin.uploads.max_uploads=5
suhosin.executor.disable_emodifier=on
suhosin.executor.func.blacklist="exec,create_function,passthru,system,shell_exec,p_open,proc_close,proc_get_status,proc_open,proc_terminate"

Then in your apache vhost configuration you can say things like:

<VirtualHost *:80>
        DocumentRoot /var/www/vhosts/example.com/htdocs
        ServerName www.example.com
        UseCanonicalName Off
        <Directory /var/www/vhosts/example.com/htdocs>
                php_admin_value suhosin.executor.disable_emodifier "off"
                php_admin_value suhosin.executor.func.blacklist "none"
                Order allow,deny
                Allow from all
        </Directory>
</VirtualHost>

Suhosin also carries it's own default settings which you can find out about in the Suhosin Configuration Docs

When you are happy with all the settings run the following command to restart apache and then check that every thing is OK with your web sites:

# apachectl -t && apachectl graceful

Main Menu

Personal tools

Toolbox