11 Common PHP Security rules

There are some problems with the old version of PHP itself, such as some serious bugs before php4.3.10 and php5.0.3, so it is recommended that you use the new version. In addition, the current busy SQL injection is also in PHP have a lot of ways to use, so to ensure security, PHP code writing is on the one hand, PHP configuration is very critical.

Our PHP hand-installed, PHP default profile in/usr/local/apache2/conf/php.ini, our main is to configure the content of PHP.ini, let us execute PHP can be more secure. Security settings throughout PHP are primarily designed to prevent Phpshell and SQL injection attacks, and we'll explore it slowly. We first use any editing tool to open/etc/local/apache2/conf/php.ini, and if you are installing in a different way, the profile may not be in that directory.

(1) Open PHP security mode

The PHP security model is a very important embedded security mechanism that controls some functions in PHP, such as System (), and allows you to control many file manipulation functions, and not allow files for certain key files, such as/etc/passwd, But the default php.ini is not open safe mode, we turn it on:

Safe_mode = On

(2) User group security

When the Safe_mode is turned on, the Safe_mode_gid is turned off, so the PHP script can access the file and the same group of users can access the file.

The recommended setting is:

Safe_mode_gid = Off

If you do not set up, we may not be able to operate on our server Web site directory, such as when we need to operate on the file.

(3) Safe Mode executable Program home directory

If Safe mode is open, but you want to execute some programs, you can specify the home directory where you want to execute the program:

Safe_mode_exec_dir = D:/usr/bin

Typically, there is no program to perform, so it is recommended that you do not execute the System program directory, point to a directory, and then copy the program that needs to be executed, such as:

Safe_mode_exec_dir = D:/tmp/cmd

However, I recommend that you do not execute any programs, then you can point to our web directory:

Safe_mode_exec_dir = d:/usr/www

(4) Include files in Safe mode

If you want to include some public files in Safe mode, modify the options:

Safe_mode_include_dir = d:/usr/www/include/

In fact, the general PHP script contains files are in the program itself has been written, this can be set according to the specific needs.

(5) control the directory that the PHP script can access

Using the OPEN_BASEDIR option to control the PHP script can only access the specified directory, so that you can avoid PHP script access, should not access to the file, to some extent limit the harm of phpshell, we can generally set to access only the site directory:

Open_basedir = d:/usr/www

(6) Close the dangerous function

If Safe mode is turned on, the function prohibition is not necessary, but we consider it for security. For example, we don't want to execute PHP functions that can execute commands, including system (), or to see phpinfo () functions such as PHP information, so we can ban them:

Disable_functions = System,passthru,exec,shell_exec,popen,phpinfo

If you want to disable the operation of any files and directories, you can turn off many file operations

Disable_functions = Chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir, Rmdir,rename, File,file_get_contents,fputs,fwrite,chgrp,chmod,chown

The above is just a list of not commonly used file processing functions, you can also execute the above command function and this function, you can resist most of the Phpshell.

(7) Turn off the disclosure of PHP version information in HTTP headers

In order to prevent hackers from obtaining information about the PHP version of the server, you can turn off the information ramp in the HTTP header:

expose_php = Off

For example, when the hacker in Telnet www.chinaz.com 80, then will not be able to see the PHP information.

(8) Turning off registration of global variables

Variables submitted in PHP, including the use of post or get submitted variables, will be automatically registered as a global variable, can be directly accessed, which is very unsafe for the server, so we can not let it register as a global variable, the registration of global variable option to turn off:

Register_globals = Off

Of course, if this is the case, then the corresponding variable should be taken in a reasonable way, such as getting the variable var of get commit, then use $_get[' var ' to obtain, the PHP programmer should pay attention to.

(9) Open MAGIC_QUOTES_GPC to prevent SQL injection

SQL injection is a very dangerous problem, small site backstage was invaded, heavy the entire server fell, so be careful. There is a setting in php.ini:

MAGIC_QUOTES_GPC = Off

This default is closed, if it is opened will automatically put the user submitted to the SQL query conversion, such as the ' switch ', which is important to prevent SQL injection. So we recommend setting it to:

MAGIC_QUOTES_GPC = On

(10) Error information Control

General PHP is not connected to the database or other circumstances will be prompted error, the general error message will contain the current path of the PHP script information or query the SQL statements and other information, such information provided to hackers, is not safe, so the general server recommendations prohibit error tips:

Display_errors = Off

If you are trying to display an error message, be sure to set the level at which the error is displayed, such as displaying only the information above the warning:

error_reporting = e_warning & E_error

Of course, I recommend closing the error prompt.

(11) Error log

It is recommended that the error message can be logged after the display_errors is turned off to make it easier to find out why the server is running:

Log_errors = On

Also set the directory where the error log is stored, and suggest that the log of the root Apache be present together:

Error_log = D:/usr/local/apache2/logs/php_error.log

Note: You must allow the Apache users and groups to have write permissions to the file.

MySQL's Down right run

Create a new user like Mysqlstart

NET user Mysqlstart ****microsoft/add net localgroup users Mysqlstart/del

Does not belong to any group

If MySQL is installed in D:mysql, then give Mysqlstart Full control of the permissions. Then in the system service settings, MySQL service properties, in the login attribute, select this user mysqlstart then enter the password, OK. Restart the MySQL service, and MySQL runs under low privileges.

If you are in the WinDOS platform to build Apache we also need to note that the Apache run by default is System permissions, which is very scary, this makes people feel very uncomfortable. Then let's give Apache a drop in privileges.

NET user Apache ****microsoft/add net localgroup users Apache/del

Set up a user apche that does not belong to any group.

We open the Computer Manager, select the service, point Apache Service Properties, we choose Log on, select this account, we fill in the above established accounts and passwords, restart the Apache service, Ok,apache run under low privileges.

In fact, we can also set the permissions of each folder so that Apache users can only do what we want it to do, and create a single user who can read and write to each directory. This is also the current popular configuration of many virtual host providers Oh, but this method is used to prevent this is a bit more overqualified.