PHP作为Apache的模块运行时,Apache本身的安全起主导作用,因此如果配置正确的话,PHP应该是一个十分安全的环境,但是如果PHP是以CGI方式来运行的话,就没有这么安全了。
本文中提到的操作,对Unix和Windows都适用。
一、作为Apache模块来运行
因为一般说来,Apache会以“nobody”或者“www”来运行,所以,PHP作为模块是十分安全的。
如果PHP在虚拟主机环境下,可能会产生用户能浏览其他用户文件的危险。一个简单的脚本如下:
// 假定文档根位于 /usr/local/websites/mydomain
$location = '../'; // 到上一级目录
$parent = dir($location);
// 显示当前目录: /usr/local/websites
while($entry = $parent->read()) {
echo $entry . '
';
}
$parent->close();
?>
这样,只要修改$location,用户就可以浏览虚拟主机上所有其他用户的文件了。为了减少这样的危险,我们需要看一下php.ini ,修改其中的safe_mode, doc_root和usr_dir 参数,把用户限制在他自己的虚拟主机环境下:
safe_mode = On
doc_root = /usr/local/apache/htdocs
user_dir = /home/albertxu/htdocs
二、作为CGI
把PHP以CGI方式运行需要十分小心,可能会泄露你不想让人知道的信息。
第一件事情要注意的就是一定要把执行文件放到文档根目录以外的地方。例如/usr/local/bin,因此所有的CGI文件开头必须带有:
#!/usr/local/bin/php
防止用户直接调用CGI的办法是在Apache中强迫CGI重定向:
Action php-script /cgi-bin/php.cgi
AddHandler php-script .php
这会把下面的URL
http://example.com/mywebdir/test.htm
转换为:
http://example.com/cgi-bin/php/mywebdir/test.htm
在以CGI方式编译PHP时,最好采用下面的选项:
--enable-force-cgi-redirect
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
Dreamweaver CS6
Visual web development tools
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
