Description of PHP safe mode safe_mode_PHP tutorial

The safe_mode function will be available in versions below PHP 5.3, but the safe_mode safety mode is turned off by default. Let me introduce the specific opening of safe_mode and its impact on the system.

Enable PHP safe mode (please note that PHP5.3 will no longer have safe mode)

To turn on or off the safe mode of php, use the safe_mode option in php.ini:

The code is as follows

Copy code

代码如下	复制代码
safe_mode=On(使用安全模式) safe_mode=Off(关闭安全模式) 在apache的httpd.conf中VirtualHost的相应设置方法 php_admin_flag safe_mode On(使用安全模式) php_admin_flag safe_mode Off(关闭安全模式) 或者： php_admin_value safe_mode1(使用安全模式) php_admin_value safe_mode0(关闭安全模式)

safe_mode=On (use safe mode) safe_mode=Off (turn off safe mode) The corresponding setting method of VirtualHost in apache’s httpd.conf php_admin_flag safe_mode On (use safe mode) php_admin_flag safe_mode Off (turn off safe mode) or: php_admin_value safe_mode1 (use safe mode) php_admin_value safe_mode0 (turn off safe mode)

Safe mode configuration command:

名称	默认值	可修改范围	更新记录
safe_mode	"0"	PHP_INI_SYSTEM
safe_mode_gid	"0"	PHP_INI_SYSTEM	自 PHP 4.1.0 起可用
safe_mode_include_dir	NULL	PHP_INI_SYSTEM	自 PHP 4.1.0 起可用
safe_mode_exec_dir	""	PHP_INI_SYSTEM
safe_mode_allowed_env_vars	"PHP_"	PHP_INI_SYSTEM
safe_mode_protected_env_vars	"LD_LIBRARY_PATH"	PHP_INI_SYSTEM
open_basedir	NULL	PHP_INI_SYSTEM
disable_functions	""	仅 php.ini	自 PHP 4.0.1 起可用
disable_classes	""	仅 php.ini	自 PHP 4.3.2 起可用

Name

Default value

Modifiable range

Update record

safe_mode

"0"

PHP_INI_SYSTEM

safe_mode_gid

"0"

PHP_INI_SYSTEM

Available since PHP 4.1.0

safe_mode_include_dir

NULL

PHP_INI_SYSTEM

Available since PHP 4.1.0

safe_mode_exec_dir

""

PHP_INI_SYSTEM

safe_mode_allowed_env_vars

"PHP_"

PHP_INI_SYSTEM

safe_mode_protected_env_vars

"LD_LIBRARY_PATH"

PHP_INI_SYSTEM

open_basedir

NULL

PHP_INI_SYSTEM

disable_functions

""

Only php.ini

Available since PHP 4.0.1

disable_classes

""

Only php.ini

Available since PHP 4.3.2

When safe mode is turned on, the functions of the following function list will be restricted:

is not available in $_SERVER . But anyway, you can still use <td style="border-bottom: rgb(192,192,192) 1px solid; border-left: rgb(192,192,192) 1px solid; padding-bottom: 3px; padding-left: 3px; padding-right: 3px; border-collapse: collapse; border-top: rgb(192,192,192) 1px solid; border-right: rgb(192,192,192) 1px solid; padding-top: 3px">REMOTE_USER<span style="font-weight: bold" class="function"> to get the user name (USER). (Note: Only valid after PHP 4.3.0) </span> <span style="font-weight: bold" class="function"> </span> </td> <td style="border-bottom: rgb(192,192,192) 1px solid; border-left: rgb(192,192,192) 1px solid; padding-bottom: 3px; padding-left: 3px; padding-right: 3px; border-collapse: collapse; border-top: rgb(192,192,192) 1px solid; border-right: rgb(192,192,192) 1px solid; padding-top: 3px">highlight_file()</td>, show_source()

Function name	Restrictions
dbmopen()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed.
dbase_open()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed.
filepro()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed.
filepro_rowcount()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed.
filepro_retrieve()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed.
ifx_*	sql_safe_mode restriction, (!= safe mode)
ingres_*	sql_safe_mode restriction, (!= safe mode)
mysql_*	sql_safe_mode restriction, (!= safe mode)
pg_loimport()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed.
posix_mkfifo()	Checks if the directory being manipulated has the same UID (owner) as the script being executed.
putenv()	Follow the safe_mode_protected_env_vars and safe_mode_allowed_env_vars options set by the ini. Please refer to the relevant documentation of the putenv() function.
move_uploaded_file()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed.
chdir()	Checks if the directory being manipulated has the same UID (owner) as the script being executed.
dl()	This function is disabled in safe mode.
backtick operator	This function is disabled in safe mode.
shell_exec() (functionally the same as backticks function)	This function is disabled in safe mode.
exec()	Execution operations can only be performed in the directory set by safe_mode_exec_dir. For some reason, .. cannot currently be used in the path of an executable object. escapeshellcmd() will be applied to the parameters of this function.
system()	Execution operations can only be performed in the directory set by safe_mode_exec_dir. For some reason, .. cannot currently be used in the path of an executable object. escapeshellcmd() will be applied to the parameters of this function.
passthru()	Execution operations can only be performed in the directory set by safe_mode_exec_dir. For some reason, .. cannot currently be used in the path of an executable object. escapeshellcmd() will be applied to the parameters of this function.
popen()	Execution operations can only be performed in the directory set by safe_mode_exec_dir. For some reason, .. cannot currently be used in the path of an executable object. escapeshellcmd() will be applied to the parameters of this function.
fopen()	Checks if the directory being manipulated has the same UID (owner) as the script being executed.
mkdir()	Checks if the directory being manipulated has the same UID (owner) as the script being executed.
rmdir()	Checks if the directory being manipulated has the same UID (owner) as the script being executed.
rename()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed. Check if the directory being manipulated has the same UID (owner) as the script being executed.
unlink()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed. Check if the directory being manipulated has the same UID (owner) as the script being executed.
copy()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed. Check if the directory being manipulated has the same UID (owner) as the script being executed. (on <font face="NSimsun">source</font> and <font face="NSimsun">target</font>)
chgrp()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed.
chown()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed.
chmod()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed. In addition, SUID, SGID and sticky bits cannot be set
touch()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed. Check if the directory being manipulated has the same UID (owner) as the script being executed.
symlink()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed. Check if the directory being manipulated has the same UID (owner) as the script being executed. (Note: only test target)
link()	Checks if the file or directory being manipulated has the same UID (owner) as the script being executed. Check if the directory being manipulated has the same UID (owner) as the script being executed.(Note: only test target)
apache_request_headers()	In safe mode, headers starting with "authorization" (case sensitive) will not be returned.
header()	In safe mode, if WWW-Authenticate is set, the uid of the current script will be added to the header's realm section.
PHP_AUTH variable	In safe mode, the variables <code class="varname"><font face="NSimsun">PHP_AUTH_USER</font>PHP_AUTH_USER<font face="NSimsun">PHP_AUTH_PW</font>, <code class="varname"><font face="NSimsun">PHP_AUTH_TYPE</font>PHP_AUTH_PW<font face="NSimsun">$_SERVER</font> and <font face="NSimsun">REMOTE_USER</font>PHP_AUTH_TYPE
Checks if the file or directory being manipulated has the same UID (owner) as the script being executed. Check if the directory being manipulated has the same UID (owner) as the script being executed. (Note, only valid after version 4.2.1)	parse_ini_file() Checks if the file or directory being manipulated has the same UID (owner) as the script being executed. Check if the directory being manipulated has the same UID (owner) as the script being executed.(Note, only valid after version 4.2.1)
set_time_limit()	Does not work in safe mode.
max_execution_time	Does not work in safe mode.
mail()	In safe mode, the fifth parameter is blocked. (Note, only affected since PHP 4.2.3)

Similarly, some functions in PHP extensions will also be affected. (Loading modules: The dl function will be prohibited in safe mode. If you want to load an extension, you can only modify the extension options in php.ini and load it when PHP starts)

When PHP safe mode is turned on, when you need to execute a system program, it must be the program in the directory specified in the safe_mode_exec_dir option, otherwise the execution will fail. Even if execution is allowed, it will automatically be passed to the escapeshellcmd function for filtering.

The following list of functions that execute commands will be affected:

exec,shell_exec,passthru,system,popen

In addition, the back tag operator (`) will also be turned off.

When running in safe mode, although no error will be caused, the putenv function will be invalid. Similarly, other functions set_time_limit and set_include_path that attempt to change PHP environment variables will also be ignored.

Impact after Safe Mode:
File owner checks are performed when functions access the file system. By default, the user ID of the file owner is checked. When you can modify the file owner's group ID (gid), it is specified by the safe_mode_gid option.

If you have a shared library file on your system, when you encounter the need to include or require, then you can use the safe_mode_include_dir option to set your path to ensure that your code works normally. (Inclusion paths: If you want to use the safe_mode_include_dir option to include more include paths, you can use the colon to separate under unix/linux systems and semicolons under windows like the include_path option)

For example, if you want to include files under /usr/local/include/php in safe mode, then you can set the option as:

safe_mode_include_dir=/usr/local/include/php

If your included files need to be executed, you can set the safe_mode_exec_dir option.
For example, if you need the files in the /usr/local/php-bin path to be executable, you can set the option to:

safe_mode_exec_dir=/usr/local/php-bin

(Executable: If the program you execute is in the /usr/bin directory, then you can connect these binary files to the path that can be executed under the options you specify)

If you want to set certain environment variables, you can use the safe_mode_allowed_env_vars option. The value of this option is the prefix of an environment variable. By default, environment variables starting with php_ are allowed. If you want to change it, you can set the value of this option. Use commas to separate multiple environment variable prefixes.

For example, if the environment variable tz of the time zone is allowed below, then modify the value of this option to:

safe_mode_allowed_env_vars=php_,tz

In addition to safe mode, php also provides many other features to ensure the security of php.

1. [Hide php version number]

You can use the expose_php option in php.ini to prevent the web server from leaking PHP reporting information. As follows:

expose_php=on

With this entire setup, you can thwart some attacks from automated scripts targeting web servers. Normally, the http header information contains the following information:

server:apache/1.3.33(unix)php/5.2.4mod_ssl/2.8.16openssl/0.9.7c

After the expose_php option is turned on, the PHP version information will not be included in the above header information.

Of course, users can also see the .php file extension when they visit the website. If you want to use a different file extension entirely, you need to find the following line in httpd.conf:

addtype application/x-httpd.php

You can change .php to any file extension you like. You can specify as many file extensions as you like, separated by spaces. If you want to use php to parse .html and .htm files on the server side, then you set the options as follows:

addtype application/x-httpd.html.htm

(Parse HTML: Configure your web server to use PHP to parse all HTML files, but if non-server-side code also requires PHP to parse, it will affect the performance of the server. You can use different extensions for static pages, so Able to eliminate dependence on php script engine and enhance performance )

2. [File System Security]

Safe mode restricts script owners to only access their own files, but you can use the open_basedir option to specify a directory that you must access. If you specify a directory, PHP will deny access to directories other than that directory and its subdirectories. The open_basedir option works outside of safe mode.

Restrict the file system to only access the /tmp directory, then the setting options are:

open_basedir=/tmp

3. [Function Access Control]

You can use comma separation to set function names in the disable_functions option, then these functions will be turned off in the php script. This setting works outside of safe mode.

disable_functions=dl

Of course, you can also use the disable_classes option to turn off access to some classes.

4. [Database Security]

Suppose your php script contains a mysql query that is executed based on a form value:

$sql="update mytable set col1=".$_post["value"]."where col2='somevalue'";

$res=mysql_query($sql,$db);

You want $_post["value"] to contain an integer value to update your column col1. However, a malicious user can enter a semicolon into a form field, followed by a SQL statement that he/she wants to be executed arbitrarily.

For example, assume the following is the value submitted by $_post["value"]:

0;insert into admin_users(username,password) values ​​(‘me’,’mypassword’);

Then when this query is sent to mysql query, it becomes the following sql:

update mytable set col1=0;

insert into admin_users(username,password) values ​​(‘me’,’mypassword’);

where col2=’somevalue’;

This is obviously a harmful query! First this query will update col1 in the mytable table. There's nothing troublesome about this, but the second expression, it will execute the insert expression to insert a new administrator who can log in. The third expression is discarded, but at the same time the SQL parser will throw an error before the harmful query is completed. This attack is what everyone often calls sql injection (note: sql injection).

Of course, there is a problem with sql injection. The other party must understand your database structure. In this example, the attacker knows that you have a table admin_users and that it contains username and password fields. At the same time, the stored password is not encrypted.

Except for yourself, the average website visitor will not know this information about the database. However, if you use an online e-commerce program that develops source code, or use a free discussion board program, the definitions of these data tables are known, or some users have access to your database.

In addition, your script output will prompt a query error, which contains a lot of important information about the database structure. On a functioning website, you should consider setting the display_errors option to off and using log_errors instead of display_errors to insert warning and error messages into files.

(Database permissions: It is a very important thing. You only have the correct permissions to correctly connect to the database through the script. You should not use the administrator in the script to connect to the database. If you do this, then an attack The attacker may gain full database permissions, including permissions on other identical servers. The attacker may run grant or create user commands to gain more access permissions. )

If you want to prevent SQL injection attacks, you must ensure that the content submitted in the user form is not an executable SQL expression.

In the previous example, we used an integer value to update. If a single quote is followed by a string, the attacker must submit a closing quote before the semicolon in the entire SQL expression. However, when the magic_quotes_gpc option is enabled, quotes submitted in web forms will be automatically escaped.

To prevent SQL injection attacks from malicious attackers, you should always confirm that the submitted data is legal. If what you need is an integer value, then you can use the is_numeric function to test the expression value, or use the settype function to convert to a number, clearing any silly SQL statements.

If you develop a program that requires several submitted values ​​in a sql expression, you can use the sprintf function to build a sql string, using formatting characters to indicate the data type of each value. Look at the example below:

$sql=sprintf(“update mytable set col1=%d where col2=’%s’”, $_post["number"], mysql_escape_string($_post["string"]));

In the previous example, the entire mysql data has been used, so this string has been filtered through the mysql_escape_string function. For other databases, you can use the addslashes function to escape, or use other methods

http://www.bkjia.com/PHPjc/629644.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629644.htmlTechArticleIn versions below PHP5.3, the safe_mode function will be available, but the safe_mode safety mode is turned off by default. , let me introduce the details about safe_mode opening and matching...