Eleven common PHP security rules

PHP itself has some problems with the old version, such as some serious bugs before php4.3.10 and php5.0.3, so we recommend that you use the new version. In addition, the vigorous SQL Injection is also widely used in PHP, so to ensure security, PHP code writing is one aspect, and PHP configuration is even more critical.

We manually install php. The default configuration file of php is in/usr/local/apache2/conf/php. ini, we mainly need to configure php. the content in ini makes it safer to execute php. The security settings in PHP are mainly used to prevent phpshell and SQL Injection attacks. Let's take a look at them. Use any editing tool to open/etc/local/apache2/conf/php. ini. If you install it in other ways, the configuration file may not be in this directory.

(1) Enable the php security mode

The security mode of php is a very important embedded security mechanism that can control some functions in php, such as system () and control permissions for many file operation functions, some key files, such as/etc/passwd, are not allowed, but the default php. ini does not enable the security mode. Let's open it:

Safe_mode = on (2) user group security

When safe_mode is enabled and safe_mode_gid is disabled, php scripts can access files and users in the same group can also access the files.

Recommended settings:

If we do not set safe_mode_gid = off, we may not be able to operate the files in the directory of our server website, for example, when we need to operate the files.

(3) Main directory for executing programs in Safe Mode

If security mode is enabled, but you want to execute some programs, you can specify the main directory of the program to be executed:

Safe_mode_exec_dir = D:/usr/bin generally does not need to execute any program. Therefore, we recommend that you do not execute the system program directory. You can direct it to a directory, then copy the program to be executed, for example:

Safe_mode_exec_dir = D:/tmp/cmd:

Safe_mode_exec_dir = D:/usr/www (4) file inclusion in Safe Mode

If you want to include some public files in safe mode, modify the following options:

Safe_mode_include_dir = D:/usr/www/include/In fact, the files contained in the php script are all written in the program itself, which can be set as needed.

(5) control directories accessible by php scripts

You can use the open_basedir option to control that PHP scripts can only access the specified directory. This prevents PHP scripts from accessing files that should not be accessed, and limits the harm of phpshell to a certain extent, generally, we can set it to only access the website directory:

Open_basedir = D:/usr/www

(6) Disable dangerous functions

If the security mode is enabled, the function is not required, but we should consider it for security. For example, we do not want to execute a php function that can execute commands, such as system (), or a phpinfo () function that can view php information, then we can disable them:

Disable_functions = system, passthru, exec, shell_exec, popen, and phpinfo if you want to disable operations on any files and directories, you can disable many file operations: disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, chgrp, chmod, chown

The above only lists some file processing functions that are not commonly used. You can also combine the preceding command functions with this function to resist most phpshells.

(7) Disable PHP version information leakage in the http Header

To prevent hackers from obtaining information about the php version on the server, we can disable this information in the http header:

Expose_php = Off. For example, when hackers telnet www.2cto.com 80, they will not be able to see the PHP information.

(8) Disable registration of global variables

Variables submitted in PHP, including those submitted using POST or GET, will be automatically registered as global variables for direct access, which is very insecure for the server, therefore, if we cannot register it as a global variable, we disable the register global variable option:

Register_globals = Off. Of course, if this is set, you must use a reasonable method to obtain the corresponding variable, for example, GET the variable var submitted by GET, you need to use $ _ GET ['var'] to obtain it. This php programmer should pay attention to it.

(9) Enable magic_quotes_gpc to prevent SQL injection.

SQL injection is a very dangerous problem. If the website is compromised in the background, the entire server is compromised. Therefore, be careful. Php. ini has a setting:

Magic_quotes_gpc = Off, which is disabled by default. If it is enabled, it automatically converts the SQL query submitted by the user, for example, converting it, this plays a major role in preventing SQL injection. Therefore, we recommend the following settings:

Magic_quotes_gpc = On (10) error message control

Generally, php prompts an error when it is not connected to the database or in other cases. The error message contains the current path information of the php script or the queried SQL statement, this type of information is insecure when it is provided to hackers. Therefore, we recommend that you disable the following error message on the server:

Display_errors = Off if you want to display the error message, you must set the Display error level, for example, only display the warning information:

Error_reporting = E_WARNING & E_ERROR. Of course, we recommend that you disable the error prompt.
(11) Error Log

We recommend that you record the error information after you disable display_errors to find out the reason for running the server:

Log_errors = On also sets the directory where error logs are stored. It is recommended that the logs of the root apache exist together:

Error_log = D:/usr/local/apache2/logs/php_error.log Note: To files, you must allow apache users and groups to have write permissions.

MYSQL downgrading operation

Create a user, such as mysqlstart

Net user mysqlstart **** microsoft/add net localgroup users mysqlstart/del does not belong to any group

If MYSQL is installed in d: mysql, grant full control of MYSQL start. Then, set the MYSQL service attribute in the system service. In the logon attribute, select this user mysqlstart and enter the password to confirm. Restart the MYSQL service and MYSQL runs under low permissions.

If apache is built on the windos platform, we still need to note that apache runs the system permission by default, which is terrible, which makes people feel uncomfortable. let's drop apache permissions.

Net user apache *** microsoft/add net localgroup users apache/del creates a user apche that does not belong to any group.

Open the computer manager, select a service, click the apache service attribute, Select log on, select this account, fill in the account and password created above, restart the apache service, OK, apache runs under low permissions.

In fact, we can also set the permissions for each folder so that apache users can only execute what we want it to do, and create a single read/write user for each directory. This is also a popular configuration method for many VM providers. However, this method is used to prevent minor usage.