How to solve security problems in php

PHP Security Configuration

##(1) Turn on PHP’s safe mode (recommended to learn : PHP programming from entry to proficiency)

php's security mode is a very important built-in security mechanism that can control some functions in php, such as system(), and at the same time control many The file operation function performs permission control and does not allow certain key files, such as /etc/passwd, but the default php.ini does not open the safe mode. We open it:

safe_mode = on

(2) User group security

When safe_mode is turned on and safe_mode_gid is turned off, the php script can access the file, and users in the same group can also access the file.

It is recommended to set it to:

safe_mode_gid = off

If you do not set it, we may not be able to operate the files in our server website directory, such as when we need to operate files.

(3) Home directory for executing programs in safe mode

If safe mode is turned on, but you want to execute certain programs, you can specify the program to be executed. The home directory:

safe_mode_exec_dir = D:/usr/bin

Generally, there is no need to execute any program, so it is recommended not to execute the system program directory. You can point to a directory and then copy the program that needs to be executed, such as:

safe_mode_exec_dir = D:/tmp/cmd

However, I recommend not to execute any program, then you can point to our web directory:

safe_mode_exec_dir = D:/usr/www

(4) Include files in safe mode

If you want To include certain public files in safe mode, then modify the options:

safe_mode_include_dir = D:/usr/www/include/

In fact, generally the files included in PHP scripts have been written in the program itself. This can be set according to specific needs.

(5) Control the directories that PHP scripts can access

Use the open_basedir option to control that PHP scripts can only access specified directories, which can prevent PHP scripts from accessing directories that should not be accessed. The accessed files limit the harm of phpshell to a certain extent. We can generally set it to only access the website directory:

open_basedir = D:/usr/www

(6) Turn off dangerous functions

if If the safe mode is turned on, function prohibition is not necessary, but we still consider it for safety's sake. For example, if we don’t want to execute PHP functions that can execute commands, including system(), or phpinfo() and other functions that can view PHP information, then we can ban them:

disable_functions = system,passthru,exec,shell_exec,popen,phpinfo

If you To prohibit any file and directory operations, you can close many file operations

disable_functions = chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir, 　　rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown

The above only lists some of the commonly used file processing functions. You can also combine the above execution command function with this function, and you can Resist most phpshells.

(7) Close the leakage of PHP version information in the http header

In order to prevent hackers from obtaining the PHP version information in the server, we can close the leakage of the information in the http header In the header:

expose_php = Off

For example, when a hacker telnet www.greatmo.com 80, he will not be able to see the PHP information.

(8) Turn off registration of global variables

Variables submitted in PHP, including variables submitted using POST or GET, will be automatically registered as global variables and can Direct access is very unsafe for the server, so we cannot let it be registered as a global variable, so we turn off the registration global variable option:

register_globals = Off

Of course, if this is set, then when getting the corresponding variable Reasonable methods must be used, such as obtaining the variable var submitted by GET, then $_GET['var'] must be used to obtain it. PHP programmers should pay attention to this.

(9) Open magic_quotes_gpc to prevent SQL injection

SQL injection is a very dangerous problem. In small cases, the website backend is invaded, and in more serious cases, the entire server collapses, so it must be be careful. There is a setting in php.ini:

magic_quotes_gpc = Off

This is turned off by default. If it is turned on, it will automatically convert user-submitted queries to sql, such as converting ' to \', etc. This will prevent sql Injections make all the difference. Therefore, we recommend setting it to:

magic_quotes_gpc = On

(10) Error message control

Generally, PHP will prompt an error when it is not connected to the database or under other circumstances. General error messages It will contain the current path information of the php script or the SQL statement of the query. This kind of information is not safe after being provided to hackers, so it is generally recommended that the server disable error prompts:

display_errors = Off

If you are To display error information, you must set the level of error display, for example, only display information above warnings:

error_reporting = E_WARNING & E_ERROR

Of course, I still recommend turning off error prompts.

The above is the detailed content of How to solve security problems in php. For more information, please follow other related articles on the PHP Chinese website!