Summary of PHP security issues

(1) Turn on the safe mode of php

The safe mode of php is a very important built-in security mechanism, which can control some functions in php, such as system(),

At the same time, it also controls the permissions of many file operation functions. , and also does not allow certain key files, such as /etc/passwd,

But the default php.ini does not turn on the safe mode, we turn it on:

safe_mode = on

(2) User Group Security

When safe_mode is turned on and safe_mode_gid is turned off, the php script can access the file, and users in the same

group can also access the file.

It is recommended to set it to:

safe_mode_gid = off

If it is not set, we may not be able to operate the files in the directory of our server website, such as when we need to

operate files.

(3) Home directory for executing programs in safe mode

If safe mode is turned on but you want to execute certain programs, you can specify the home directory for executing programs:

safe_mode_exec_dir = D:/usr/bin

Generally, there is no need to execute any program, so it is recommended not to execute the system program directory. You can point to a directory,

Then copy the program that needs to be executed, for example:

safe_mode_exec_dir = D:/tmp/cmd

However, I recommend not to execute any program, then you can point to our web page directory:

safe_mode_exec_dir = D:/usr/www

(4) Include files in safe mode

If you want to include certain files in safe mode Public files, then modify the options:

safe_mode_include_dir = D:/usr/www/include/

In fact, generally the files included in php scripts have been written in the program itself. This can be set according to specific needs.

(5) Control the directories that php scripts can access

Use the open_basedir option to control that PHP scripts can only access specified directories. This can prevent PHP scripts from accessing files that

should not access, and limits the harm of phpshell to a certain extent. , we can generally set it to only access the website directory:

open_basedir = D:/usr/www

(6) Turn off dangerous functions

If the safe mode is turned on, then function ban is not necessary, but for our sake Safety should be considered. For example,

We feel that we do not want to execute php functions including system() that can execute commands, or

phpinfo() and other functions that can view php information, then we can disable them:

disable_functions = system ,passthru,exec,shell_exec,popen,phpinfo

If you want to prohibit any file and directory operations, you can close many file operations

disable_functions = chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink ,delete,copy,mkdir, rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown

The above are just some of the commonly used file processing functions. You can also combine the above execution command function with this function Combined,

can resist most phpshells.

(7) Turn off the leakage of PHP version information in the http header

In order to prevent hackers from obtaining the php version information in the server, we can turn off the information in the http header:

expose_php = Off

For example, hackers use telnet When www.shilicn.com is 80, you will not be able to see PHP information.

(8) Turn off registering global variables

Variables submitted in PHP, including variables submitted using POST or GET, will be automatically registered as global variables and can be accessed directly.

This is very unsafe for the server. So we can’t let it be registered as a global variable, so we turn off the register global variable option:

register_globals = Off

Of course, if it is set like this, then we must use reasonable methods to obtain the corresponding variables, such as obtaining the variables submitted by GET var,

then use $_GET['var'] to obtain it. PHP programmers should pay attention to this.

(9) Turn on magic_quotes_gpc to prevent SQL injection

SQL injection is a very dangerous problem. It can cause the website backend to be invaded, or the entire server to fall.

So be careful. There is a setting in php.ini:

magic_quotes_gpc = Off

This is off by default. If it is turned on, it will automatically convert user-submitted SQL queries,

For example, convert ' to ', etc., which will prevent SQL injection plays a major role. So we recommend setting it to:

magic_quotes_gpc = On

(10) Error message control

Generally, php will prompt an error when it is not connected to the database or under other circumstances. Generally, the error message will contain the php script when

The previous path information or the query SQL statement and other information are not safe after this type of information is provided to hackers, so it is generally recommended for servers to disable error prompts:

display_errors = Off

If you want to display error messages, Be sure to set the level of display errors, such as only displaying information above warnings:

error_reporting = E_WARNING & E_ERROR

Of course, I still recommend turning off error prompts.

(11) Error log

It is recommended to record the error information after turning off display_errors, so as to find the reason for the server operation:

log_errors = On

At the same time, it is also necessary to set the directory where the error log is stored. It is recommended to root the apache log Exist together:

error_log = D:/usr/local/apache2/logs/php_error.log

Note: The file must allow the apache user and group to have write permissions.

MYSQL running with reduced privileges

Create a new user such as mysqlstart

net user mysqlstart ****microsoft /add

net localgroup users mysqlstart /del

Does not belong to any group

If MYSQL is installed in d:mysql , then, give mysqlstart full control permission

Then set the MYSQL service properties in the system service. In the login properties, select this user mysqlstart and enter the password, OK.

Restart the MYSQL service, and then MYSQL will run with low privileges.

If the apache is built on the windos platform, we need to pay attention to one thing. By default, apache runs with system permissions.

This is scary and makes people feel very uncomfortable. Then let’s lower the permissions of apache.

net user apache ****microsoft /add

net localgroup users apache /del

ok. We created a user apche that does not belong to any group.

We open the computer manager, select services, click on the properties of the apache service, we select log on, select this account, we fill in the account and password created above,

Restart the apache service, ok, apache is running with low privileges Got off.

In fact, we can also set the permissions of each folder so that the apache user can only perform what we want it to do, and create a separate read-write user for each directory.

This is also a popular configuration method used by many virtual host providers. However, this method is overkill when used to prevent this. (http://www.65066.com.cn)