Home > Article > Backend Development > Some common security configuration methods in php.ini_PHP tutorial
Some common security configuration methods in php.ini_PHP tutorial
- WBOYOriginal
- 2016-07-13 17:10:38782browse
The article briefly introduces how to make some common security configurations in php.ini. Students in need can refer to it.
(1) Turn on the safe mode of php
PHP’s security mode is a very important built-in security mechanism. It can control some functions in PHP, such as system(). It also controls the permissions of many file operation functions and does not allow certain keyword files. files, such as /etc/passwd, but the default php.ini does not open safe mode, let’s open it:
safe_mode = on
(2) User group security
When safe_mode is turned on and safe_mode_gid is turned off, the php script can access the file, and users in the same group can also access the file. And users in the same group can also access the file.
Recommended settings are:
safe_mode_gid = off
If we do not set it up, we may not be able to operate the files in the directory of our server website, for example, when we need to operate files.
(3) Home directory for executing programs in safe mode
If safe mode is turned on but you want to execute certain programs, you can specify the home directory of the program to be executed:
safe_mode_exec_dir = /usr/bin
Generally, there is no need to execute any program, so it is recommended not to execute the system program directory. You can point to a directory: and then copy the program that needs to be executed, such as:
safe_mode_exec_dir = /temp/cmd
However, I recommend not to execute any program, then you can point to our web directory:
safe_mode_exec_dir = /usr/www
(4) Include files in safe mode
If you want to include certain public files in safe mode, then change the options:
safe_mode_include_dir = /usr/www/include/
In fact, generally the files included in php scripts have been written in the program itself. This can be set according to specific needs.
(5) Control the directories that php scripts can access
Using the open_basedir option can control the PHP script to only access the specified directory. This can prevent the PHP script from accessing files that should not be accessed. Certain programs show the harm of phpshell. We can generally set it to only access the website directory:
open_basedir = /usr/www
(6) Close dangerous functions
If safe mode is turned on, function prohibition is not necessary, but we still consider it for safety. For example, if we feel that we do not want to execute PHP functions that have clear execution, including system(), or functions such as phpinfo() that can view PHP information, then we can prohibit them:
disable_functions = system, passthru, exec, shell_exec, popen, phpinfo, escapeshellarg, escapeshellcmd, proc_close, proc_open, dl
If you want to prohibit any file and directory operations, you can close many file operations
disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, chgrp,chmod, chown
The above only lists some of the more commonly used file processing functions. You can also combine the above execution command function with this function to resist most phpshells.
(7) Close the leakage of php version information in the http header
In order to prevent hackers from obtaining the PHP version information in the server, we can turn off the leakage of this information in the http header:
expose_php = off
For example, when a hacker telnet www.girlcoding.com:80, he will not be able to see PHP information
(8) Close registered global variables
Variables submitted in PHP, including those submitted using POST or GET, will be automatically registered as global variables and can be accessed directly. This is very unsafe for the server, so we cannot let it be registered as global variables. Just turn off the register global variable option:
register_globals = off
Of course, if this is set up, then reasonable methods must be used to obtain the corresponding variables. For example, to obtain the variable var submitted by GET, then $_GET['var'] must be used to obtain it. This PHP programmer needs to Notice.
(9) Turn on magic_quotes_gpc to prevent SQL injection
SQL injection is a very dangerous problem. It can cause the website backend to be invaded, or the entire server to fall, so be careful. There is a setting in php.ini:
magic_quotes_gpc = off
This is turned off by default. If it is turned on, it will automatically convert user-submitted sql queries, such as 'convert to', etc. This is very effective in preventing sql injection, so we recommend setting it to:
magic_quotes_gpc = off
There was a time when the program did not work when uploading locally, but it worked fine on the server~ It may also be caused by inheriting the core file of discuz, and there was a problem in obtaining the path. Later, I turned on this parameter and the problem was solved.
(10) Error message control
Generally, PHP will have an error message when it is not connected to the database or under other circumstances. Generally, the error message will contain the current path information of the PHP script or the SQL statement of the query. This kind of information is not safe after being provided to hackers. , so it is generally recommended that servers disable error prompts:
display_errors = Off
If you really want to display error messages, be sure to set the level of display errors, such as only displaying information above warnings:
error_reporting = E_WARNING & E_ERROR
Of course, I still recommend turning off error prompts.
(11) Error log
It is recommended to record the error message after closing display_errors to facilitate finding the reason for the server operation:
log_errors = On
At the same time, you must also set the directory where the error log is stored. It is recommended that the root apache log be stored together:
error_log = /usr/local/apache2/logs/php_error.log
Note: The apache user or group must have write permissions for the file.