作者:Albert PHP作为Apache的模块运行时,Apache本身的安全起主导作用,因此如果配置正确的话,PHP应该是一个十分安全的环境,但是如果PHP是以CGI方式来运行的话,就没有这么安全了。 本文中提到的操作,对Unix和Windows都适用。 一、作为Apache模块来运行 因为一般说来,Apache会以“nobody”或者“www”来运行,所以,PHP作为模块是十分安全的。 如果PHP在虚拟主机环境下,可能会产生用户能浏览其他用户文件的危险。一个简单的脚本如下: // 假定文档根位于 /usr/local/websites/mydomain $location = ../; // 到上一级目录 $parent = dir($location); // 显示当前目录: /usr/local/websites while($entry = $parent->read()) { echo $entry . ; } $parent->close(); ?> 这样,只要修改$location,用户就可以浏览虚拟主机上所有其他用户的文件了。为了减少这样的危险,我们需要看一下php.ini ,修改其中的safe_mode, doc_root和usr_dir 参数,把用户限制在他自己的虚拟主机环境下: safe_mode = On doc_root = /usr/local/apache/htdocs user_dir = /home/albertxu/htdocs 二、作为CGI 把PHP以CGI方式运行需要十分小心,可能会泄露你不想让人知道的信息。 第一件事情要注意的就是一定要把执行文件放到文档根目录以外的地方。例如/usr/local/bin,因此所有的CGI文件开头必须带有: #!/usr/local/bin/php 防止用户直接调用CGI的办法是在Apache中强迫CGI重定向: Action php-script /cgi-bin/php.cgi AddHandler php-script .php 这会把下面的URL http://example.com/mywebdir/test.htm 转换为: http://example.com/cgi-bin/php/mywebdir/test.htm 在以CGI方式编译PHP时,最好采用下面的选项: --enable-force-cgi-redirect 本文讨论的是有关PHP的安全问题,详细的安全信息可以参考PHP老家上手册中关于安全的 http://www.php.net/manual/en/security.php 那一章。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
