PHP Security: Limit Resources Used By Script

How do I control and put limits on php scripts such as maximum execution time of each script and upload file size?

PHP supports the following resource limits directives in php.ini file:

ADVERTISEMENTS

  1. max_execution_time : Maximum execution time of each script, in seconds.
  2. max_input_time : Maximum amount of time each script may spend parsing request data.
  3. memory_limit : Maximum amount of memory a script may consume.
PHP limits

Edit /etc/php.ini or /etc/php/7.0/fpm/php.ini (fpm-php 7 config), enter:
# vi /etc/php.ini
OR
# vi /etc/php/7.0/fpm/php.ini
Set up values as follows:

max_execution_time =  30
max_input_time = 30
memory_limit = 40M

Set maximum size of POST data that PHP will accept:

post_max_size = 8M

Set maximum allowed size for uploaded files:

upload_max_filesize = 2M

Turn on or off HTTP file uploads (disallow uploading unless necessary):

file_uploads = Off

Make sure PHP redirects appropriately with the following:

cgi.force_redirect = 0

Disable file requests as fopen calls with the following

allow_url_fopen = Off

Turn on SQL safe mode:

sql.safe_mode = On

If you set sql.safe_mode, you need to set the following too:
mysqli.default_host = "192.168.1.252"
mysqli.default_port = "3306"
mysqli.default_user = "userNameHere"
mysqli.default_pw = "PasswordHere"

Now your Perl/Php/Python scripts can directly connect to the database without passing host,user and password information. Next, reload Apache web server:
# service httpd reload
OR
Reload lighttpd web server:
# /etc/init.d/lighttpd reload
OR reload php7.0-fpm:
# /etc/init.d/php7.0-fpm reload
OR use systemctl command:
# systemctl reload php7.0-fpm
Note any attempt to exceed these limits will result in a “500 Server Error”. For more information see Linux: 25 PHP Security Best Practices For Sys Admins

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
6 comments… add one
  • Roy Kaldung Feb 8, 2010 @ 19:20

    The most of these settings can be restricted to specific VirtualHosts. For details
    see http://www.php.net/manual/en/ini.list.php and http://php.net/manual/en/configuration.changes.modes.php.

  • Juan Giordana Feb 9, 2010 @ 6:27

    You don’t need to reload lighty, you need to reload php-cgi or php-fpm.

  • 🐧 nixCraft Feb 9, 2010 @ 8:07

    @Juan

    When you reload Lighttpd it reload php-fastcgi too.

  • Nilesh Feb 9, 2010 @ 17:12

    @vivek, do you personally use ‘vi’ to edit files ???? vi sucks. vim rocks.

    BTW, isn’t this very basic ? Somebody who reads the manual well b4 setup, knows this. But its funny that there are ppl who don’t do that LOL.

    • 🐧 nixCraft Feb 9, 2010 @ 17:17

      @Nilesh: vi is aliased to vim. On production server I do not install vim and just use whatever is shipped with distro. Less is better :)

  • Nilesh Feb 10, 2010 @ 8:17

    @vivek, vi is ok for editing simple config files. but its WORST for editing config files like those of apache. vi cannot highlight whereas vim can.

    vi is not always symlinked to vim. in my system (Arch) its linked to ex. and it sucks to core.
    I’ve removed it, and set $EDITOR globally to vim. even on my VPS I use vim instead of vi. :)

    BTW, where’s the global comment feed ?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.