V2:Security Configuration

From PhpInputValidator

Jump to: navigation, search

The phpInputValidator has default security configuration settings that will be setup when no values override them. So if you do not want to configure the system you don't have to.

Contents

How to configure

To configure phpInputValidator security you need to pass an array of configuration values to the security array of constructor when creating a new instance of the class. Here is an example:

$config = array('security' => array('email_from' => 'foo@bar.com', 'htaccess_location' => dirname(__FILE__).'/'));
$getvar = new phpInputValidator($config);

Configuration options

append (string)

Any data that you want added to the security log or security email. An example might be a username or userid.

Example

$config = array('security' => array('append' => 'UserID: '.get_uid()));

email_from (string)

The email address you want email the security emails to be from.

Example

$config = array('security' => array('email_from' => 'foo@bar.com'));

function (string)

When an attack is detected it will run this function

Example

$config = array('security' => array('function' => 'attacked'));

Note

If this is set ONLY this function will run. No other security alerts will be triggered by phpInputValidator

htaccess_location (string)

When an attack is detected it will add the users IP to the htaccess deny list

Example

$config = array('security' => array('htaccess_location' => dirname(__FILE__).'/'));

log_file (string)

The file to log detected attacks

Example

$config = array('security' => array('log_file' => 'attacked.log'));

scan_both (array or strings)

Regex to use to scan both POST and GET

Example

$config = array('security' => array('scan_both' =>  array(
        '/\.?\.\//',    //Look for ../ or ./
        '|//|',         //Look for //
        '#\w?\s?union\s\w*?\s?(select|all|distinct|insert|update|drop|delete)#is',      //Union attacks
)));

scan_get (array or strings)

Regex to use to scan GET

Example

$config = array('security' => array('scan_get' =>  array(
        '/\.?\.\//',    //Look for ../ or ./
        '|//|',         //Look for //
        '#\w?\s?union\s\w*?\s?(select|all|distinct|insert|update|drop|delete)#is',      //Union attacks
)));

scan_post (array or strings)

Regex to use to scan POST

Example

$config = array('security' => array('scan_post' =>  array(
        '/\.?\.\//',    //Look for ../ or ./
        '|//|',         //Look for //
        '#\w?\s?union\s\w*?\s?(select|all|distinct|insert|update|drop|delete)#is',      //Union attacks
)));

swift_mailer_path (string)

The absolute path the swiftmailer

Example

$config = array('security' => array('swift_mailer_path' => dirname(__FILE__).'/'));

Note

If swift mailer is not installed php mail() will be used instead.

By default swift mailer will use standard mail function. If you would like to reconfigure it you need to open /lib/includes/security/respond/class.email.inc.php find the _swift function. Under there you can reconfigure it using the swift mailer sending docs

Retrieved from "http://docs.phpinputvalidator.org/index.php/V2:Security_Configuration"