Home  >  Article  >  php教程  >  Strengthen PHP scripting language security with Suhosin

Strengthen PHP scripting language security with Suhosin

黄舟
黄舟Original
2016-12-14 09:49:051335browse

PHP is a very popular website scripting language, but its inherent security is very weak. This article describes the PHP enhancement plan (Hardened-PHP project) and the new Suhosi plan. Suhosin provides enhanced PHP security configuration.

 PHP is a controversial but most popular website scripting language. It is popular because of its low price. However, this low price has led to more and more website applications written in PHP, and at the same time, more and more PHP itself is exposed in terms of security vulnerabilities. This kind of The security features show that PHP is extremely unreliable, but at the same time the scripting language itself is very flexible, and it is easy to implement code using it, but these codes are bloated and unsafe, although it is In this way, it still has many users. You could assume that, time and time again, applications of all kinds exhibit this vulnerability: vulnerable to SQL injection, cross-site scripting, arbitrary execution, and more.

Since built-in PHP security measures like safe_mode and open_basedir will be ignored, the PHP Enhancement Plan creates PHP that is more secure and also performs validation checks on PHP. Initially, these were done with enhanced PHP patches that required PHP itself to be patched and recompiled. Recently, the PHP Enhancement Project released a new project called Suhosin.

  Sohosin consists of two parts: The first part is a patch for PHP. This patch strengthens the Zend engine itself to avoid possible buffer overflows and prevent related weaknesses. The second part is the extension of Suhosin, which is a stand-alone module for PHP. The two parts can work together, or the extension can work independently.

  Developers do not want to have to maintain their own PHP installation settings in order to achieve security and they certainly prefer to use PHP directly on the Linux distribution system provided by the vendor. Using extension modules can provide more that PHP itself cannot have. Safety Features.

 The extension is easy to install; it can also be installed via PECL, or downloaded and compiled:

 $ tar /configure

 $ make

 $ sudo make install

 In order to use suhosin, you also need to add /etc/php.ini, as shown below:

 extension=suhosin.so

 The default configuration for most people The options are enough. In order to strengthen the settings, you can add the corresponding values ​​​​in /etc/php.ini. The various configuration options are introduced in detail on the website. These instructions can help you with initial configuration.

Using Suhosin, you can get some error logs. You can put these logs into the system log or write them to any other log files at the same time; it can also create blacklists and whitelists for each virtual host. ; Can filter GET and POST requests, file uploads and cookies. You can also send encrypted sessions and cookies, set up storage that cannot be sent, and more. Unlike the original PHP hardening patch, Suhosin is compatible with third-party extension software like Zend Optimizer. PHP is a very popular website scripting language, but its inherent security is very weak. This article describes the PHP enhancement plan (Hardened-PHP project) and the new Suhosi plan. Suhosin provides enhanced PHP security configuration.

 PHP is a controversial but most popular website scripting language. It is popular because of its low price. However, this low price has led to more and more website applications written in PHP, and at the same time, more and more PHP itself is exposed in terms of security vulnerabilities. This kind of The security features show that PHP is extremely unreliable, but at the same time the scripting language itself is very flexible, and it is easy to implement code using it, but these codes are bloated and unsafe, although it is In this way, it still has many users. You could assume that, time and time again, applications of all kinds exhibit this vulnerability: vulnerable to SQL injection, cross-site scripting, arbitrary execution, and more.

Since built-in PHP security measures like safe_mode and open_basedir will be ignored, the PHP Enhancement Plan creates PHP that is more secure and also performs validation checks on PHP. Initially, these were done with enhanced PHP patches that required PHP itself to be patched and recompiled. Recently, the PHP Enhancement Project released a new project called Suhosin.

  Sohosin consists of two parts: The first part is a patch for PHP. This patch strengthens the Zend engine itself to avoid possible buffer overflows and prevent related weaknesses. The second part is the extension of Suhosin, which is a stand-alone module for PHP. The two parts can work together, or the extension can work independently.

  Developers do not want to have to maintain their own PHP installation settings in order to achieve security and they certainly prefer to use PHP directly on the Linux distribution system provided by the vendor. Using extension modules can provide more that PHP itself cannot have. Safety Features.

 The extension module is easy to install; it can also be installed through PECL, or downloaded and compiled and installed:

 $ tar Need to add /etc/ php.ini, as shown below:

  extension=suhosin.so

  ​​The default configuration options are enough for most people. In order to strengthen the settings, you can add the corresponding values ​​​​in /etc/php.ini. The various configuration options are introduced in detail on the website. These instructions can help you with initial configuration.

Using Suhosin, you can get some error logs. You can put these logs into the system log or write them to any other log files at the same time; it can also create blacklists and whitelists for each virtual host. ; Can filter GET and POST requests, file uploads and cookies. You can also send encrypted sessions and cookies, set up storage that cannot be sent, and more. Unlike the original PHP hardening patch, Suhosin is compatible with third-party extensions like Zend Optimizer.

Thank you for reading. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn