Description of PHP Safe Mode Safe_mode

Source: Internet
Author: User
Tags ini mysql query php file php script safe mode sprintf sql injection

Open PHP Security Mode (note that PHP5.3 will no longer have safe mode)

The Safe mode of turning PHP on or off is taking advantage of the Safe_mode option in php.ini:

The code is as follows Copy Code

Safe_mode=on (using Safe mode)

Safe_mode=off (Turn off Safe mode)

The corresponding setting method of VirtualHost in the httpd.conf of Apache

Php_admin_flag Safe_mode on (using safe mode)

Php_admin_flag safe_mode off (Safe mode off)

Or:

Php_admin_value safe_mode1 (using safe mode)

Php_admin_value safe_mode0 (off Safe mode)


Safe Mode configuration directive:
name Default Value Modifiable Range Update Records
Safe_mode "0" Php_ini_system
Safe_mode_gid "0" Php_ini_system Available from PHP 4.1.0
Safe_mode_include_dir Null Php_ini_system Available from PHP 4.1.0
Safe_mode_exec_dir "" Php_ini_system
Safe_mode_allowed_env_vars "Php_" Php_ini_system
Safe_mode_protected_env_vars "Ld_library_path" Php_ini_system
Open_basedir Null Php_ini_system
Disable_functions "" Only php.ini Available from PHP 4.0.1
Disable_classes "" Only php.ini Available from PHP 4.3.2

When Safe mode is open, the functionality of the following list of functions will be limited:

The
name of the function Limit
Dbmopen () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed.
Dbase_open () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed.
Filepro () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed.
Filepro_rowcount () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed.
Filepro_retrieve () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed.
Ifx_* Sql_safe_mode limit, (!= Safe mode)
Ingres_* Sql_safe_mode limit, (!= Safe mode)
Mysql_* Sql_safe_mode limit, (!= Safe mode)
Pg_loimport () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed.
Posix_mkfifo () Checks whether the directory being manipulated has the same UID (owner) as the script being executed.
Putenv () Follow the Safe_mode_protected_env_vars and Safe_mode_allowed_env_vars options set by the INI. Refer to the documentation for the putenv () function.
Move_uploaded_file () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed.
ChDir () Checks whether the directory being manipulated has the same UID (owner) as the script being executed.
DL () This function is disabled in safe mode.
Backtick operator This function is disabled in safe mode.
shell_exec ()(same function as backticks function) This function is disabled in safe mode.
EXEC () You can perform operations only in the directory of the Safe_mode_exec_dir settings. For some reason, it cannot be used in the path of an executable object at this time ... Escapeshellcmd () will be applied to the parameters of this function.
System () You can perform operations only in the directory of the Safe_mode_exec_dir settings. For some reason, it cannot be used in the path of an executable object at this time ... Escapeshellcmd () will be applied to the parameters of this function.
PassThru () You can perform operations only in the directory of the Safe_mode_exec_dir settings. For some reason, it cannot be used in the path of an executable object at this time ... Escapeshellcmd () will be applied to the parameters of this function.
Popen () You can perform operations only in the directory of the Safe_mode_exec_dir settings. For some reason, it cannot be used in the path of an executable object at this time ... Escapeshellcmd () will be applied to the parameters of this function.
fopen () Checks whether the directory being manipulated has the same UID (owner) as the script being executed.
mkdir () Checks whether the directory being manipulated has the same UID (owner) as the script being executed.
RmDir () Checks whether the directory being manipulated has the same UID (owner) as the script being executed.
Rename () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed. Checks whether the directory being manipulated has the same UID (owner) as the script being executed.
Unlink () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed. Checks whether the directory being manipulated has the same UID (owner) as the script being executed.
Copy () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed. Checks whether the directory being manipulated has the same UID (owner) as the script being executed. (on source and target )
CHGRP () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed.
Chown () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed.
chmod () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed. Also, you cannot set SUID, SGID, and sticky bits
Touch () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed. Checks whether the directory being manipulated has the same UID (owner) as the script being executed.
Symlink () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed. Checks whether the directory being manipulated has the same UID (owner) as the script being executed. (Note: test target only)
Link () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed. Checks whether the directory being manipulated has the same UID (owner) as the script being executed. (Note: test target only)
Apache_request_headers () In safe mode, headers that begin with "authorization" (case-sensitive) will not be returned.
Header () In safe mode, if www-authenticateis set, the current script's UID will be added to the realm portion of the header.
Php_auth variable In safe mode, variables PHP_AUTH_USER , PHP_AUTH_PW and in, PHP_AUTH_TYPE are $_SERVER not available. However, you can still use REMOTE_USER to get the user name. (Note: Only PHP 4.3.0 available later)
highlight_file (), Show_source () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed. Checks whether the directory being manipulated has the same UID (owner) as the script being executed. (Note that this is only valid after version 4.2.1)
Parse_ini_file () Checks whether the file or directory being manipulated has the same UID (owner) as the script being executed. Checks whether the directory being manipulated has the same UID (owner) as the script being executed. (Note that this is only valid after version 4.2.1)
Set_time_limit () does not work in safe mode.
Max_execution_time does not work in safe mode.
Mail () In Safe mode, the fifth parameter is masked. (Note that only from PHP 4.2.3 is affected)

Similarly, functions in some PHP extensions will also be affected. (Load module: In Safe mode, the DL function will be prohibited, if you want to load the extension, you can only modify the extended option in php.ini, loading when PHP starts)

When PHP security mode is open, you need to execute the system program, you must be in the SAFE_MODE_EXEC_DIR option to specify the directory of the program, or execution will fail. Even if it is allowed to execute, it is automatically passed to the Escapeshellcmd function for filtering.

The following list of functions that execute the command will be affected:

Exec,shell_exec,passthru,system,popen

In addition, the back tag operator (') will also be closed.

When running in Safe mode, the PUTENV function will not be valid, although it will not cause an error. Similarly, other functions that attempt to change the PHP environment variable are set_time_limit, and Set_include_path will also be ignored.


Effects after Safe mode:
The file owner will be checked when the function accesses the file system. By default, the user ID of the owner of the file is checked, when you are able to modify the file owner's group ID (GID) specified for the Safe_mode_gid option.

If you have a shared library file on your system, and when you encounter a need for include or require, then you can use the SAFE_MODE_INCLUDE_DIR option to set your path to ensure that your code works properly. (Include path: If you want to use the SAFE_MODE_INCLUDE_DIR option to include more include paths, then you can split with a colon in the unix/linux system, like the include_path option, split with semicolons under Windows)

For example, if you want to include/usr/local/include/php files in Safe mode, you can set the option to:

safe_mode_include_dir=/usr/local/include/php

If your included files need to be executed, then you can set the Safe_mode_exec_dir option.
For example, you need to/usr/local/php-bin the file under the path can be executed, then you can set the option to:

Safe_mode_exec_dir=/usr/local/php-bin

(Executable: If you execute a program that is in the/usr/bin directory, then you can connect the binaries to the path that you can execute under the specified option)

If you want to set some environment variables, you can use the Safe_mode_allowed_env_vars option. The value of this option is the prefix of an environment variable, which defaults to an environment variable that allows the php_ to start, and if you want to change, you can set the value of the option and divide the prefixes between the environment variables using commas.

For example, the following allows the time zone's environment variable TZ, and the value to modify this option is:

Safe_mode_allowed_env_vars=php_,tz

In addition to Safe mode, PHP offers many other features to keep PHP secure.

1. [Hide PHP version number]

You can use the expose_php option in php.ini to prevent the Web server from leaking PHP report information. As follows:

Expose_php=on

With the entire setup, you can block some attacks from automated scripts against Web servers. Typically, HTTP header information contains the following information:

server:apache/1.3.33 (Unix) php/5.2.4mod_ssl/2.8.16openssl/0.9.7c

After the expose_php option is turned on, the PHP version information will not be included in the header information above.

Of course, users can also see the. php file name extension when they visit the site. If you want the entire use of different file extensions, you need to find the following line in the httpd.conf:

AddType application/x-httpd.php

You can modify. PHP for any file name extension you like. You can specify any number of file extensions, using spaces in the middle to split. If you want to use PHP on the server side to parse. html and. htm files, then you set the options as follows:

AddType application/x-httpd.html.htm

(Parse HTML: Configure your Web server to parse all HTML files using PHP, but if the server-side code also needs to be parsed by PHP, it can affect the performance of the server.) Static pages You can use different extensions, which eliminates reliance on the PHP scripting engine and enhances performance. )

2. [File system security]

Safe Mode restricts the script owner to access only the files that belong to them, but you can use Open_basedir to specify a directory that you must access. If you specify a directory, PHP will deny access to other directories except for that directory and subdirectories of that directory. The Open_basedir option can work outside of safe mode.

The limit file system can only access the/tmp directory, then the setting option is:

Open_basedir=/tmp

3. [Function Access control]

You can use a comma split in the disable_functions option to set the function name, so these functions will be closed in the PHP script. This setting can work outside of safe mode.

Disable_functions=dl

Of course, you can also use the disable_classes option to turn off access to some classes.

4. [Database Security]

Suppose your php script contains a MySQL query that is based on form values:

$sql = "Update mytable set col1=". $_post["Value"]. " where col2= ' somevalue ';

$res =mysql_query ($sql, $db);

You want $_post["value" to contain an integer value to update your column col1. However, a malicious user can enter a semicolon in the form field, followed by an SQL statement that he or she wants to be executed arbitrarily.

For example, suppose the following is the value submitted by $_post["value":

0;insert into Admin_users (Username,password) VALUES (' Me ', ' mypassword ');

So when this query is sent to the MySQL query, it becomes the following sql:

Update mytable set col1=0;

Insert into Admin_users (Username,password) VALUES (' Me ', ' mypassword ');

where col2= ' somevalue ';

This is obviously a harmful query! First of all, this query will update col1 in the MyTable table. This is not a problem, but the second expression, which executes an insert expression, inserts a new administrator who can log in. The third expression is discarded, but at the same time the SQL parser throws an error, and the unwanted query completes. This attack is what we often call SQL injection (note: SQL injection).

Of course, there is a problem with SQL injection, the other side must understand your database structure. In this case, the attacker is aware that you have a table admin_users and that the username and password fields are included, and that the stored password is unencrypted.

In addition to yourself, general site visitors are not aware of these information about the database. However, if you use an online e-business program that develops your source code, or if you use a free discussion program, the definitions of these tables are known, or some users can access your database.

In addition, your script output prompts a query error that contains a lot of important information about the structure of the database. On a working web site, you should consider setting the Display_errors option to off and using log_errors instead of display_errors to insert warnings and error messages into the file.

(Database permissions: It is a very important thing that you only have the right permissions to properly connect the database through the script.) You should not use the administrator to connect to the database in the script. If you do this, an attacker would probably get all of the database permissions and include other permissions for the same server. An attacker would probably run the grant or create user command to gain more access rights. )

If you want to prevent SQL injection attacks, you must ensure that the content submitted by the user table dropdowns is not a SQL expression that can be executed.

In the previous example, we used an integer value to update. If a string is followed by a single quote, the attacker must submit a closed reference to the entire SQL expression before the semicolon. However, quotes that are submitted in a Web form are automatically escaped when the MAGIC_QUOTES_GPC option is turned on.

To prevent SQL injection attacks by malicious attackers, you should always confirm that the data submitted is legitimate. If you need an integer value, you can use the Is_numeric function to test the expression, or use the Settype function to convert to a number that clears any silly SQL statement.

If you develop a program that requires a few submitted values in an SQL expression, you can use the sprintf function to construct an SQL string, using formatting characters to indicate each value of the data type. Look at the following example:

$sql =sprintf ("Update mytable set col1=%d where col2= '%s '", $_post["number"], mysql_escape_string ($_post["string"));

In the previous example, the entire MySQL data has been used, so this string has been filtered through the mysql_escape_string function. For other databases, you can use the Addslashes function to escape, or use other methods

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.