Some common security configuration methods in php.ini _php tutorial

This article introduces the general about how to do some common security configuration in php.ini, the students need to refer to.

(1) Open PHP Safe mode

PHP's security model is a very important embedded security mechanism, can control some functions in PHP, such as System (), while many of the file operation functions of the permission control, also does not allow the files of some key files, such as/etc/passwd, But the default php.ini is not open in Safe mode, we turn it on:

Safe_mode = On

(2) User group security

When Safe_mode is turned on, Safe_mode_gid is turned off, and the PHP script is able to access the file, and the same group of users can access the file. Users of the same group are also able to access the files.

The recommended setting is:

Safe_mode_gid = Off

If we do not set up, we may not be able to operate the files in our server web directory, such as when we need to operate the file.

(3) Execute Program home directory in Safe mode

If Safe mode is turned on, but you want to execute some programs, you can specify the home directory where you want to execute the program:

Safe_mode_exec_dir =/usr/bin

In general, there is no need to execute any program, so it is recommended not to execute the System program directory, you can point to a directory: and then the need to execute the program to copy the past, such as:

Safe_mode_exec_dir =/temp/cmd

However, I recommend that you do not execute any programs, then you can point to our web directory:

Safe_mode_exec_dir =/usr/www

(4) Include files in Safe mode

If you want to include some common files in Safe mode, then modify the options:

Safe_mode_include_dir =/usr/www/include/

In fact, the general PHP script contains files are in the program itself has been written, this can be set according to the specific needs.

(5) control the directory that PHP scripts can access

Use the OPEN_BASEDIR option to control the PHP script can only access the specified directory, so as to avoid the PHP script to access the files should not be accessed, certain programs show the harm of Phpshell, we can generally be set to access only the site directory:

Open_basedir =/usr/www

(6) Close danger function

If Safe mode is turned on, then the function prohibition is not necessary, but we consider it to be safe. For example, we do not want to execute PHP functions that include system (), or phpinfo (), which can be used to view PHP information, and so we can disable them:

Disable_functions = System, PassThru, exec, shell_exec, Popen, Phpinfo, Escapeshellarg, Escapeshellcmd, Proc_close, PROC_ Open, DL

If you want to disable the operation of any files and directories, you can close many file operations

Disable_functions = ChDir, chroot, dir, getcwd, Opendir, Readdir, Scandir, fopen, unlink, delete, copy, mkdir, RmDir, Rena Me, file, file_get_contents, fputs, Fwrite, Chgrp,chmod, Chown

These are just a few of the more commonly used file processing functions, you can also use the above command function and this function, you can resist most of the Phpshell.

(7) Close the PHP version information in the HTTP header of the leak

In order to prevent hackers from getting the PHP version of the server information, you can turn off the information leaked in the HTTP header:

expose_php = Off

For example, when the hacker in Telnet www.girlcoding.com:80, then will not see the PHP information

(8) Close registered global variables

Variables that are committed in PHP, including those that use post or get commits, are automatically registered as global variables and can be accessed directly, which is very insecure to the server, so we can't register the global variable with the Register global variable option off:

Register_globals = Off

Of course, if this is set, then to get the corresponding variable is to take a reasonable way, such as get the variable var of get commit, then use $_get[' var ' to obtain, this PHP programmer should pay attention to.

(9) Open MAGIC_QUOTES_GPC to prevent SQL injection

SQL injection is a very dangerous problem, small site background was invaded, heavy the entire server fell, so must be careful. There is a setting in php.ini:

MAGIC_QUOTES_GPC = Off

This default is closed, if it is opened will automatically send the user to the SQL query to convert, such as "turn to" and so on, which to prevent SQL injection has a great effect, so we recommend to set to:

MAGIC_QUOTES_GPC = Off

There are times the program in the local upload is not good, but in the server to make ~ may also inherit the Discuz core file caused, get the path problem, later open this parameter, the problem solved.

(10) Error Message control

In general, PHP is not connected to the database or otherwise there will be error prompts, the general error message will contain the PHP script current path information or query SQL statements and other information, such information provided to the hacker is not safe, so the general server recommends that the error prompt is forbidden:

Display_errors = Off

If you do want to display an error message, be sure to set the level of error displayed, such as displaying only the warning message:

error_reporting = e_warning & E_error

Of course, I recommend turning off the error prompt.

(11) Error log

It is recommended to log the error message after closing the display_errors to make it easier to find the reason why the server is running:

Log_errors = On

Also set the directory where the error log is stored, suggesting that the root Apache log exists together:

Error_log =/usr/local/apache2/logs/php_error.log

Note: Giving files must allow Apache users or groups to have write permissions.

http://www.bkjia.com/PHPjc/629662.html www.bkjia.com true http://www.bkjia.com/PHPjc/629662.html techarticle This article introduces the general about how to do some common security configuration in php.ini, the students need to refer to. (1) Open PHP Safe Mode PHP Safe mode is a very heavy ...

