Consortium News
Promotional Links
Please support us by providing a link to the PHP Security Consortium on your web site. You can also use our promotional image:

PhpSecInfo Test Information

memory_limit

Test Description

Determines if memory_limit is enabled and no greater than 8MB.

Security Implications

As with all applications, PHP applications require memory to execute. By enabling a realistic memory_limit you can protect your applications from certain types of denial of service attacks, and also from bugs in applications (such as infinite loops, poor use of image based functions, or other memory intensive mistakes). A setting of 8MB is sufficient for the vast majority of scripts, but still aggressive enough to catch problems before too much damage is done.

Recommendations

Unless you are sure you need more, keep memory_limit now higher than 8 megabytes.

memory_limit must be enabled at configure time using the --enable-memory-limit option.

You can set memory_limit in the php.ini file:

; Lower memory_limit for security reasons
memory_limit = 8M

The setting can also be applied in apache's httpd.conf file, or an .htaccess file:

# Lower memory_limit for security reasons
php_value  memory_limit  8M

More Information

« Test information index

Get PhpSecInfo