Details of several common security Settings in PHP

In addition, the current vigorous SQL Injection is also used in many ways in PHP, so to ensure security, PHP code writing is one thing, PHP configuration is very critical.

We hand the PHP manual installation, PHP's default configuration files in/usr/local/apache2 / conf/PHP ini, we are most main is to configure PHP. The contents of the ini, allows us to execute PHP safer. The security Settings in the whole PHP are mainly to prevent the attack of phpshell and SQL Injection, which we will discuss slowly. We first use any editing tools to open the/etc/local/apache2 / conf/PHP ini, if you are using other ways to install, configure file may not in the directory.

(1) open PHP security mode

PHP security mode is an important built-in security mechanism that controls some PHP functions, such as system(),

At the same time, many file manipulation functions are controlled, and some key files, such as /etc/passwd, are not allowed.

But the default php.ini does not have security mode on, so let's turn it on:

Safe_mode = on

(2) user group security

When safe_mode is turned on, and safe_mode_gid is turned off, the PHP script is able to access the file, and it is the same

Users of the group can also access the file.

Recommended setting:

Safe_mode_gid = off

If we don't set it up, we may not be able to manipulate the files in our server's website directory, such as we need

When operating on a file.

(3) the home directory of the execution program in safe mode

If security mode is turned on, but only when certain programs are about to be executed, you can specify the home directory of the program to be executed:

Safe_mode_exec_dir = D: / usr/bin

Generally, there is no need to execute any program, so it is recommended not to execute the system program directory, you can point to a directory,

Then copy the program that needs to be executed, such as:

Safe_mode_exec_dir = D: / TMP/CMD

However, I would rather not execute any program, so you can point to our web directory:

Safe_mode_exec_dir = D: / usr/WWW

(4) include files in secure mode

If you want to include some public files in secure mode, change the options:

Safe_mode_include_dir = D: / usr/WWW/include /

In fact, the general PHP script contains files in the program itself has been written, this can be set according to the specific needs.

(5) control the directory that the PHP script can access

Using the open_basedir option can prevent PHP scripts from accessing only the specified directory

The files should not be accessed, to some extent limit the phpshell harm, we can generally be set to only access the site directory:

Open_basedir = D: / usr/WWW

(6) close the danger function

If the safe mode is turned on, then the function ban is not needed, but we still consider it for the sake of security. For instance,

Phpinfo (), then we can disable them:

Disable_functions = system, passthru, exec, shell_exec popen, a phpinfo

If you want to disable any file or directory operations, you can close many file operations

Disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, CHGRP, chmod, chown

The above is just a list of some file processing functions that are not commonly used, you can also combine the above command function with this function,

Can resist most of the phpshell.

(7) close the leak of PHP version information in the HTTP header

In order to prevent hackers from getting information about the PHP version in the server, we can turn off this information in the HTTP header:

Expose_php = Off

Like the hackers at telnet  At www.chinaz.com 80, you will not be able to see the PHP information.

(8) close the registered global variable

Variables submitted in PHP, including those submitted using POST or GET, are automatically registered as global variables and can be accessed directly.

This is very insecure for the server, so we can't make it register as a global variable, just close the register global variable option:

Register_globals = Off

Of course, if this is set, then the corresponding variable should be acquired in a reasonable way, such as the var variable submitted by GET,

So we're going to use $_GET['var'] to get it, and this PHP programmer is going to pay attention.

(9) open magic_quotes_gpc to prevent SQL injection

SQL injection is a very dangerous problem, small site background is hacked, or the whole server collapse,

So be careful. There is a setting in php.ini:

Magic_quotes_gpc = Off

This is off by default, and if it is turned on it will automatically submit the user to convert the SQL query,

For example, 'to' and so on, this is important to prevent SQL injection. Therefore, we recommend setting as:

Magic_quotes_gpc = On

(10) error message control

PHP usually prompts for errors when it is not connected to a database or otherwise, and the error message usually contains a PHP script

Before the path information or query SQL statements and other information, this information is provided to the hacker, is not safe, so the general server is recommended to prohibit error tips:

Display_errors = Off

If you do want to display an error message, be sure to set the error level. For example, only display the above warning information:

Error_reporting = E_WARNING & E_ERROR

Of course, I still recommend turning off the error.

(11) error log

It is recommended that after display_errors is closed, the error information can be recorded so as to find out why the server is running:

Log_errors = On

At the same time, you should also set the directory where the error log is stored. It is recommended that the logs of root apache be stored together:

Error_log = D: / usr/local/apache2 / logs/php_error log

Note: the file must allow apache users and groups to have write permissions.

MYSQL drop weight run

Create a new user such as mysqlstart

Net user mysqlstart **** Microsoft /add

Net localgroup users mysqlstart /del

Not in any group

If MYSQL is installed in d:\ MYSQL, then give mysqlstart full control of permissions

And then set the service properties of MYSQL in the system service, and in the login properties, select this user mysqlstart and enter the password, ok.

Restart the MYSQL service, and MYSQL runs with low permissions.

If you build apache under the windos platform, we also need to pay attention to one thing, apache is the default run system permissions,

This is scary, this is annoying. Let's give apache permission to downsize.

Net user apache **** Microsoft /add

Net localgroup users apache /del

Ok. We created a user apche that is not part of any group.

So we go to the computer manager, we select the service, we click on the apache service properties, we select log on, we select this account, we fill in the account and password that we created above,

Restart the apache service, ok, apache is running with low permissions.

In fact, we can set the permissions for each folder so that apache users can only do what we want it to do, creating a separate read-write user for each directory.

This is also a popular configuration method for many web hosting providers, but this method is used to prevent it from becoming overqualified.