Home >Backend Development >PHP Tutorial >Detailed explanation of safe_mode safe mode configuration in php_PHP tutorial

Detailed explanation of safe_mode safe mode configuration in php_PHP tutorial

WBOY
WBOYOriginal
2016-07-13 17:11:021558browse

There is a normal mode and a safe mode in php. Now most users directly use the php normal mode of the application, because many functions are restricted after the safe mode is configured. Let me tell you in detail. Safe mode configuration method.

When safe mode is turned on, the functions of the following function list will be restricted:

chdir, move_uploaded_file, chgrp, parse_ini_file, chown, rmdir, copy, rename, fopen, require, highlight_file, show_source, include, symlink, link, touch, mkdir, unlink

Similarly, some functions in PHP extensions will also be affected. (Loading modules: The dl function will be prohibited in safe mode. If you want to load an extension, you can only modify the extension options in php.ini and load it when PHP starts)

When PHP safe mode is turned on, when you need to execute an operating system program, it must be the program in the directory specified in the safe_mode_exec_dir option, otherwise the execution will fail. Even if execution is allowed, it will automatically be passed to the escapeshellcmd function for filtering.

The following list of functions that execute commands will be affected:

exec, shell_exec, passthru, system, popen

In addition, the back tag operator (`) will also be turned off.

When running in safe mode, although no error will be caused, the putenv function will be invalid. Likewise, other functions such as set_time_limit, set_include_path, etc. that attempt to change PHP environment variables will also be ignored.

1. The application of all input and output functions (such as fopen(), file() and require()) will be restricted and can only be used for files that have the same owner as the script that calls these functions. For example, assuming safe mode is enabled, if a script owned by Mary calls fopen() and attempts to open a file owned by Jonhn, it will fail. However, if Mary owns not only the script that calls fopen(), but also the file that fopen() calls from, it will succeed.
2. If you try to execute a script through the functions popen(), system() or exec(), it is only possible if the script is located in the directory specified by the safe_mode_exec_dir configuration directive.
3. HTTP verification is further strengthened because the UID of the user of the verification script is included in the verification field. Additionally, when safe mode is enabled, PHP_AUTH is not set.
4. If a MySQL database server is used, the user name used to connect to the MySQL server must be the same as the file owner user name calling mysql_connect().


1) Turn on the safe mode of php

PHP’s safe mode is a very important built-in security mechanism that can control some functions in PHP, such as system(),
At the same time, the permissions of many file operation functions are controlled, and certain key files, such as /etc/passwd, are not allowed.
​But the default php.ini does not open safe mode, let’s open it:
​safe_mode = on


(2) User group security

When safe_mode is turned on, safe_mode_gid is turned off, then the php script can access the file, and it is the same
Users in the group can also access the file.
It is recommended to set it to:

safe_mode_gid = off

If we do not set it up, we may not be able to operate the files in our server website directory. For example, we need to
When operating on files.


(3) Execute the program’s home directory in safe mode

If safe mode is turned on but you want to execute certain programs, you can specify the home directory of the program to be executed:

safe_mode_exec_dir = D:/usr/bin

Under normal circumstances, there is no need to execute any program, so it is recommended not to execute the system program directory. You can point to a directory,
Then copy the program that needs to be executed, such as:

safe_mode_exec_dir = D:/tool/exe

However, I recommend not to execute any program, then you can point to our web directory:

safe_mode_exec_dir = D:/usr/www


(4) Include files in safe mode

If you want to include some public files in safe mode, then modify the options:

safe_mode_include_dir = D:/usr/www/include/

In fact, generally the files included in PHP scripts have been written in the program itself. This can be set according to specific needs.


(5) Control the directories that php scripts can access

Use the open_basedir option to control the PHP script to only access the specified directory, which can avoid PHP script access
Files that should not be accessed limit the harm of phpshell to a certain extent. We can generally set it to only access the website directory:

open_basedir = D:/usr/www


(6) Turn off dangerous functions

If safe mode is turned on, function prohibition is not necessary, but we still consider it for safety. For example,
We feel that we do not want to execute PHP functions including system() that can execute commands, or that can view PHP information
phpinfo() and other functions, then we can disable them:

Disable_functions = system,passthru,exec,shell_exec,popen,phpinfo

If you want to prohibit any file and directory operations, you can close many file operations


disable_functions=chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,

copy,mkdir,rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown

The above only lists some of the commonly used file processing functions. You can also combine the above execution command function with this function.
It can resist most phpshells.


(7) Close the leakage of PHP version information in the http header

In order to prevent hackers from obtaining the PHP version information in the server, we can turn off the information in the http header:

expose_php = Off

For example, when a hacker telnet www.target.com 80, he will not be able to see PHP information.


(8) Close registered global variables

Variables submitted in PHP, including those submitted using POST or GET, will be automatically registered as global variables and can be accessed directly,
This is very unsafe for the server, so we can’t register it as a global variable, so we turn off the register global variable option:
​register_globals = Off
Of course, if this is set, then a reasonable method must be used to obtain the corresponding variable, such as obtaining the variable var submitted by GET,
Then you need to use $_GET['var'] to obtain it. PHP programmers should pay attention to this.


(9) Turn on magic_quotes_gpc to prevent SQL injection

SQL injection is a very dangerous problem. In the smallest case, the website backend is invaded, and in the worst case, the entire server collapses.

So be careful. There is a setting in php.ini:

magic_quotes_gpc = Off

This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,
For example, converting ' to ', etc., this plays a significant role in preventing SQL injection. So we recommend setting it to:

 magic_quotes_gpc = On

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629618.htmlTechArticleThere is a normal mode and safe mode in php. Now most data users use the php application directly. Normal mode, because after safe mode configuration, many functions are affected...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn