register_globals = Off magic_quotes_gpc = Off allow_url_include = Off
You can also check on a few sessions-related directive in order to improve your server's handling of these.
[MySQL] mysql.allow_persistent = On mysql.max_persistent = -1 mysql.max_links = -1 mysql.connect_timeout = 10 mysql.trace_mode = Off ; ... [Session] session.save_handler = files session.save_path = “"/var/www/sessions”sessions" session.use_cookies = 1 session.name = PHPSESSID session.cookie_path = / session.cookie_domain = session.cookie_httponly = session.serialize_handler = php
- mysql.allow_persistent: Turn on if you want to enable mysql to have persistent connection (mysql will close its connections after several HTTP request)
- mysql.max_persistent: Put here the maximum number of persistent connections allowed by MySQL (-1 correspond to the maximum that system can offer)
- mysql.max_links: Put here the maximum number of connections allowed by MySQL (-1 correspond to the maximum that system can offer)
- mysql.connec_timeout: Put here the number of seconds MySQL must wait before declare connection as lost.
- mysql.trace_mode: When this mode is activated, MySQL will show errors when there is non-free ressources or a MySQL error.
- For more informations about MySQL directives:
session.save_handler: Define defines the name of session’s handler. It will be used to save and read datathe handler which is used for storing and retrieving data associated with a session.
session.save_path: Put here the directory where session will be saveddefines the argument which is passed to the save handler.
session.use_cookie: Notice if specifies whether the server will use cookie to save customer’s sessionscookies to store the session id on the client side.
session.name: Notice specifies the name of the session , which is used as cookie name.
session.cookie_path: Specialize the path used during cookie creationspecifies path to set in the session cookie.
session.cookie_domain: Specialize specifies the domain used during cookie creation to set in the session cookie (default: “"/”"). If it is empty, server’s the server's host name will be used according to the cookie’s cookie's specifications.
session.serialize_handler: Defines defines the name of the handler which is used to serialize/deserialize data.
- For more informations about session: http://fr.php.net/manual/en/session.configuration.php
The only problem is Safe Mode is included in PHP. If PHP machine is vulnerable then user could bypass this Safe Mode. If you have several web applications on the same server, or if you just want to protect your server by an other solution, I invite you to read the first paragraph of the recommendations part.
MySQL often has an administrator account as default ("root", "admin"...), which gives access to all of the databases' content, no matter who the database is managed by. The administrator has all the rights, and can do every possible actions. You therefore need to safekeep your databases, so as to prevent your web applications from succumbing to SQL injections (which can happen when a user succeeds in obtaining the admin password).
If you just installed MySQL, do add a password for the root account, who has no password as default.
One user per web application
Each time you install a new web application on your server, you must create a new MySQL user when just the necessary rights to handle that application's data. Do NOT use the same username to handle the databases for all of your installed web applications.
You can now install PrestaShop safely.
If you just installed MySQL, think to add a password for the root account, who has no password as default.
You can also check on a few directives to make your database more efficient:
[MySQL] mysql.allow_persistent = On mysql.max_persistent = -1 mysql.max_links = -1 mysql.connect_timeout = 10 mysql.trace_mode = Off
mysql.allow_persistent: Turn it on if you want to enable MySQL to have persistent connections (MySQL will close its connections after several HTTP request).
mysql.max_persistent: Set the maximum number of persistent connections allowed by MySQL (-1 means the maximum that system can allow).
mysql.max_links: Set the maximum number of connections allowed by MySQL (-1 means the maximum that system can allow).
mysql.connec_timeout: Set the number of seconds MySQL must wait before declaring a connection as lost.
mysql.trace_mode: When this mode is activated, MySQL shows warnings for table/index scans, non free result sets, and SQL errors.
- For more informations about MySQL directives: http://fr.php.net/manual/en/mysql.configuration.php
Basic authentication establishment (.htaccess)