I do not work/own a hosting company, but from a php security viewpoint, i would say this:
register globals on makes php automatically convert $_GET or $_POST variables to global variables. Say that you call admin.php?loggedin=1&isadmin=1 and have register globals on, the varibales $_GET['loggedin'] and $_GET['isadmin'] would automatically be converted into $loggedin and $isadmin, both with the value of 1. This is often seen as a major source of php security holes. allow_url_fopen allows you to open offsite files with php, and is often seen as a security hazard as well, it's a bit harder to explain tho...
(if you don't have an error_log value, set it to something like /var/log/php_log etc)
error_reporting = E_ALL & ~E_NOTICE | E_STRICT
Here we set errors to be logged, and not displayed to the client. Often a hacker will need the full path to a script, or the mysql error when doing mysql injections, and a normal way to get these is to make the script generate en error which will then contain the information needed... The reported errors are all, except for notices and stricts, since a lot of php coders don't care about whether or not they make these kind of errors, most of the time the script will work anyway. If you wish to log notices and stricts as well, your log file will be filled up very quickly. Note that strict should not be included in php versions under 5.0
disable_functions = proc_open , popen, disk_free_space, diskfreespace, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru
This is most of the system level commands which can really do some damage to your system if your permissions aren't right.
It's generally a good idea to set Open_basedir values to the different virtual hosts as well (can be done in apache conf with the <VirtualHost> or <Directory> blocks). Hope that answers your question good enough
|| Semi-professional PHP developer || Exams right now, don't I just feel lucky? ||