Website anti-injection and Trojan PHP. INI Security Settings

To prevent page attacks, you can include Attack Files in the header of the page, just like general anti-injection files. We can do this in three cases:
1. Reference in each file. This is acceptable, but it is inconvenient if a website contains hundreds of files.
2. Reference it in a co-inclusion file, such as the config. inc. php tutorial. This is a good solution and a popular practice in the market.
3. Reference in php. ini. Reference in the configuration file will affect all websites, including all pages. This is like some popular free space providers. When you activate an ftp space for free and upload the website, there will be advertisements in the same space. I don't know if this method is the same, but the purpose is the same. The benefit of doing so is: if it is a company or an enterprise's internal website, security and maintenance are also convenient.

The first two methods are clear to everyone. The third method is to find this section in php. ini:

; Automatically add files before or after any php document.
; Auto_prepend_file = "phpids. php"
; Auto_append_file = "alert. php"

The default value is null. Add the included files.
At the same time, find:

 

; Unix: "/path1:/path2"
; Include_path = ".:/php/shortdes"
;
Windows: "path1; path2"
Include_path = ".; f: phpnowhtdocs"

Because I have a windows environment, the windows option is enabled, and the path can be freely modified. At the same time, such features also make it easier for us to attack, such as Trojan. Now there are a lot of Trojan horse-mounting techniques in the market. We can use the auto_prepend_file option to mount Trojans in batches. We can mount websites on the entire server with the advantages of no speed impact, no file modification, and novel methods. Disadvantage: You must have write permission on php. ini.