Details of several common security Settings in PHP
- 2020-03-31 20:32:24
- OfStack
We hand the PHP manual installation, PHP's default configuration files in/usr/local/apache2 / conf/PHP ini, we are most main is to configure PHP. The contents of the ini, allows us to execute PHP safer. The security Settings in the whole PHP are mainly to prevent the attack of phpshell and SQL Injection, which we will discuss slowly. We first use any editing tools to open the/etc/local/apache2 / conf/PHP ini, if you are using other ways to install, configure file may not in the directory.
(1) open PHP security mode
PHP security mode is an important built-in security mechanism that controls some PHP functions, such as system(),
At the same time, many file manipulation functions are controlled, and some key files, such as /etc/passwd, are not allowed.
But the default php.ini does not have security mode on, so let's turn it on:
Safe_mode = on
(2) user group security
When safe_mode is turned on, and safe_mode_gid is turned off, the PHP script is able to access the file, and it is the same
Users of the group can also access the file.
Recommended setting:
Safe_mode_gid = off
If we don't set it up, we may not be able to manipulate the files in our server's website directory, such as we need
When operating on a file.
(3) the home directory of the execution program in safe mode
If security mode is turned on, but only when certain programs are about to be executed, you can specify the home directory of the program to be executed:
Safe_mode_exec_dir = D: / usr/bin
Generally, there is no need to execute any program, so it is recommended not to execute the system program directory, you can point to a directory,
Then copy the program that needs to be executed, such as:
Safe_mode_exec_dir = D: / TMP/CMD
However, I would rather not execute any program, so you can point to our web directory:
Safe_mode_exec_dir = D: / usr/WWW
(4) include files in secure mode
If you want to include some public files in secure mode, change the options:
Safe_mode_include_dir = D: / usr/WWW/include /
In fact, the general PHP script contains files in the program itself has been written, this can be set according to the specific needs.
(5) control the directory that the PHP script can access
Using the open_basedir option can prevent PHP scripts from accessing only the specified directory
The files should not be accessed, to some extent limit the phpshell harm, we can generally be set to only access the site directory:
Open_basedir = D: / usr/WWW
(6) close the danger function
If the safe mode is turned on, then the function ban is not needed, but we still consider it for the sake of security. For instance,
Phpinfo (), then we can disable them:
Disable_functions = system, passthru, exec, shell_exec popen, a phpinfo
If you want to disable any file or directory operations, you can close many file operations
Disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, CHGRP, chmod, chown
The above is just a list of some file processing functions that are not commonly used, you can also combine the above command function with this function,
Can resist most of the phpshell.
(7) close the leak of PHP version information in the HTTP header
In order to prevent hackers from getting information about the PHP version in the server, we can turn off this information in the HTTP header:
Expose_php = Off
Like the hackers at telnet At www.chinaz.com 80, you will not be able to see the PHP information.
(8) close the registered global variable
Variables submitted in PHP, including those submitted using POST or GET, are automatically registered as global variables and can be accessed directly.
This is very insecure for the server, so we can't make it register as a global variable, just close the register global variable option:
Register_globals = Off
Of course, if this is set, then the corresponding variable should be acquired in a reasonable way, such as the var variable submitted by GET,
So we're going to use $_GET['var'] to get it, and this PHP programmer is going to pay attention.
(9) open magic_quotes_gpc to prevent SQL injection
SQL injection is a very dangerous problem, small site background is hacked, or the whole server collapse,
So be careful. There is a setting in php.ini:
Magic_quotes_gpc = Off
This is off by default, and if it is turned on it will automatically submit the user to convert the SQL query,
For example, 'to' and so on, this is important to prevent SQL injection. Therefore, we recommend setting as:
Magic_quotes_gpc = On
(10) error message control
PHP usually prompts for errors when it is not connected to a database or otherwise, and the error message usually contains a PHP script
Before the path information or query SQL statements and other information, this information is provided to the hacker, is not safe, so the general server is recommended to prohibit error tips:
Display_errors = Off
If you do want to display an error message, be sure to set the error level. For example, only display the above warning information:
Error_reporting = E_WARNING & E_ERROR
Of course, I still recommend turning off the error.
(11) error log
It is recommended that after display_errors is closed, the error information can be recorded so as to find out why the server is running:
Log_errors = On
At the same time, you should also set the directory where the error log is stored. It is recommended that the logs of root apache be stored together:
Error_log = D: / usr/local/apache2 / logs/php_error log
Note: the file must allow apache users and groups to have write permissions.
MYSQL drop weight run
Create a new user such as mysqlstart
Net user mysqlstart **** Microsoft /add
Net localgroup users mysqlstart /del
Not in any group
If MYSQL is installed in d:\ MYSQL, then give mysqlstart full control of permissions
And then set the service properties of MYSQL in the system service, and in the login properties, select this user mysqlstart and enter the password, ok.
Restart the MYSQL service, and MYSQL runs with low permissions.
If you build apache under the windos platform, we also need to pay attention to one thing, apache is the default run system permissions,
This is scary, this is annoying. Let's give apache permission to downsize.
Net user apache **** Microsoft /add
Net localgroup users apache /del
Ok. We created a user apche that is not part of any group.
So we go to the computer manager, we select the service, we click on the apache service properties, we select log on, we select this account, we fill in the account and password that we created above,
Restart the apache service, ok, apache is running with low permissions.
In fact, we can set the permissions for each folder so that apache users can only do what we want it to do, creating a separate read-write user for each directory.
This is also a popular configuration method for many web hosting providers, but this method is used to prevent it from becoming overqualified.