There are 3 improper settings in the php.ini configuration that will cause security problems for the website.

All PHP source code websites must configure the environment. Whether they use an integrated environment or build it manually, few people may have paid attention to the functions of these things configured in php.ini. Many websites When setting up the php.ini file, I always look for a tutorial online, and then they tell me which steps to add and delete, but there are really two settings in it that can cause website security issues.

Some people will say how can a php.ini file have security issues? Could it be that hiker will attack my php. ini file is not available?

This is not true, but the running mode will provide a window for the hiker. Please see the configuration steps below.

Take the installation of PHP on the windows system as an example. The settings of all versions of the php.ini file are almost the same. First go Download the required PHP version from the official website, then unzip and rename it.

Assume that php7.4 is installed in the root directory of the server's D drive: Download the Non-Thread Safe (NTS) version of the PHP program, then unzip it and rename it to "php" folder and copy it to the root directory of drive D.

Open the php.ini-development file under D:\php, make a copy and rename it to php.ini , open the D:\php\php.ini file, the following is the complete configuration process.

1. Change short_open_tag = Off to

short_open_tag = On

. The effect of this modification is that some website template files use such as ? >This kind of PHP code can ensure that the code can be executed normally. This type of code is also common in templates such as ecshop, dedecms and WordPress.

2. Change expose_php = On and change it to

expose_php = Off

. For website security, it is forbidden to display the version number of php to prevent others from targeting specific php versions. Exploit website. For some websites, if you use webmaster tools to check them, it will be clear at a glance what web server they are using and what PHP version they are. Of course, hikers know about specific PHP version vulnerabilities. Although hiding the version number cannot be said to solve the problem, it will. Increase the difficulty of the hike.

3. Find the following code

; On windows:
; extension_dir = "ext"

Remove the semicolon in front of extension_dir here, and change ext to the installation path of PHP, as shown below. Be careful not to write the slashes backwards, because I installed PHP on the D drive.

extension_dir = "D:\php\ext"

4. Find max_execution_time = 30 and change the number 30 to 300 or 1200. The function is the maximum time for each script to be executed. The default is 30 seconds. This solves the problem that the connection may always time out due to network speed and server address (such as foreign hosts).

5. Search for ; cgi.force_redirect = 1, remove the semicolon in front, and change the number 1 to 0. cgi.force_redirect = 0 means to close the redirection to execute the php file. For security reasons, it prevents others from uploading Trojans for execution, such as: your website url/as=your website url/sdf/muma .php, such redirected PHP files are executable. After changing this configuration to 0, this type of redirected PHP files will not be executed.

This is also the reason why some websites are always hung. After this modification, even if there is a security vulnerability in the front desk of the website and the Trojan file is uploaded by the hiker, the Trojan file will not run in this way, so there is no use.

6. Find the code ; cgi.fix_pathinfo=1Remove the semicolon and change the number 1 to 0. The function is to prohibit parsing illegal php files. For example, a php file under a picture like /a.jpg/1.php is illegal. Setting it to 0 disables execution. This kind of file that uploads a Trojan horse disguised as an image has existed for a long time. It is forbidden to run such files. Even if a Trojan horse is uploaded, it is useless because it is set to not allow it to run.

7. Find the code fastcgi.impersonate = 1Remove the preceding semicolon. The function is that iis or nginx uses the fastcgi method to parse the php file. If it is not turned on, the php program cannot be run. Apache does not need to be turned on.

8. Search cgi.rfc2616_headers = 0, remove the semicolon and change 0 to 1. It means telling php what header to use. What is a header? Like this: HTTP/1.1.

9. Search upload_tmp_dir =, delete the preceding semicolon and add the path as follows:

upload_tmp_dir = D:\php\temp

means the temporary directory for uploading files, used to store files uploaded by the website Temporary virtual directory, but no files will actually be uploaded to it.

10. Search for the following codes respectively, one per line, and remove the semicolon in front of it (the semicolon represents a comment, which means it will not take effect, and it will take effect if it is removed):

extension=bz2
extension=curl
extension=gd2
extension=gmp
extension=mbstring
extension=php_mysql.dll
extension=mysqli
extension=pdo_mysql

11. Search date.timezone =Remove the semicolon and change it to the following:

date.timezone = Asia/Shanghai

注意大小写，意思是格式化时间，默认使用北京时间（东8区），这样可以使服务器时间和程序的时间一致，否则可能你发文章显示的时时间会和实际时间不一样，如果不设置时间可能会相差8小时，也可以设置为date.timezone = PRC ，设置时区为中国时区，PRC是中国时区的简称。

以上就是完整的php.ini文件配置，真的有3处设置和网站的安全有关系，由于这个文件一般只会设置一次，之后都不会去更改，所以有的问题也不容易被发现。

本文来自：https://baijiahao.baidu.com/s?id=1660324056472707757&wfr=spider&for=pc

相关推荐：

PHP视频教程：https://www.php.cn/course/list/29/type/2.html    

The above is the detailed content of There are 3 improper settings in the php.ini configuration that will cause security problems for the website.. For more information, please follow other related articles on the PHP Chinese website!