PHP anti-injection configuration and php anti-injection code _ PHP Tutorial

Source: Internet
Author: User
Tags server website
PHP anti-injection configuration and php anti-injection code. Php anti-injection has two types: SQL anti-injection, and other variables submitted in the same process as many cms, and php can be configured directly. ini, below I will respectively inject anti-injection to php, one is SQL anti-injection, and the other is all submitted variables in the process like many cms, you can configure php directly. ini, which I will introduce to you separately.

1. Upload safe. func. php to the Directory of the file to be included.

2. add protection to the page. you can select either of the following two methods as needed:

A) add code to the page to be protected

Require_once ('safe. func. php ');
To prevent page injection and cross-site
If you want to protect your website against website flooding attacks, you can add them to a public file on the website, such as the database link file config. inc. php!
Add require_once ('safe. func. php'); to call this code

The safe. func. php code is as follows:

The code is as follows:

* Anti-injection

Operation IP address: ". $ _ SERVER [" REMOTE_ADDR "]."
Operation Time: ". strftime (" % Y-% m-% d % H: % M: % S ")."
Operation page: ". $ _ SERVER [" PHP_SELF "]."
Submission method: ". $ _ SERVER [" REQUEST_METHOD "]."
Parameter submitted: ". $ StrFiltKey ."
Submit data: ". $ StrFiltValue );

Function safe_custom_error ($ errno, $ errstr, $ errfile, $ errline ){
Echo"Error number:[$ Errno], error on line $ errline in $ errfile
Die ();

Set_error_handler ("safe_custom_error", E_ERROR );

Function safe_stop_attack ($ k, $ v, $ method = 0 ){
$ Filter = array (
"'| (And | or). +? (>|<|=| In | like) |/*. +? */| "(And | or). {1, 6 }? (= |> | <| In | like) |/*. +? */| );

$ Filter = isset ($ filter [$ method])? $ Filter [$ method]: $ filter [0];

If (is_array ($ v )){
$ V = implode ($ v );
If (preg_match ("/". $ filter. "/is", $ v) = 1 ){
Exit ("This operation has been recorded. Do not continue illegal operations. ");

If (isset ($ _ GET )){
Foreach ($ _ GET as $ k => $ v) safe_stop_attack ($ k, $ v, 0 );
If (isset ($ _ POST )){
Foreach ($ _ POST as $ k => $ v) safe_stop_attack ($ k, $ v, 1 );
If (isset ($ _ COOKIE )){
Foreach ($ _ COOKIE as $ k => $ v) safe_stop_attack ($ k, $ v, 1 );

The above is more suitable for anti-SQL injection

The code is as follows:

/* Filter all GET variables */
Foreach ($ _ GET as $ get_key => $ get_var)
If (is_numeric ($ get_var )){
$ Get [strtolower ($ get_key)] = get_int ($ get_var );
} Else {
$ Get [strtolower ($ get_key)] = get_str ($ get_var );
/* Filter all POST variables */
Foreach ($ _ POST as $ post_key => $ post_var)
If (is_numeric ($ post_var ))
$ Post [strtolower ($ post_key)] = get_int ($ post_var );
$ Post [strtolower ($ post_key)] = get_str ($ post_var );
/* Filter function */
// Integer filter function
Function get_int ($ number)
Return intval ($ number );
// String filter function
Function get_str ($ string)
If (! Get_magic_quotes_gpc ())
Return addslashes ($ string );
Return $ string;

In addition to direct injection prevention in php, we can also configure the php. ini file.

. Use any editing tool to open/usr/local/php/etc/php. ini. if you install it in other ways, the configuration file may not be in this directory.

(1) open the php Security mode. The php Security mode is a very important embedded security mechanism that can control some php functions, such as system (),

At the same time, many File operation functions are subject to permission control, and files of some key files are not allowed, such as/etc/passwd,
However, the default php. ini mode does not enable the security mode. open it:
Safe_mode = on

(2) User Group Security

When safe_mode is enabled and safe_mode_gid is disabled, the php script can access the file and
Group users can also access files.
Recommended settings:

Safe_mode_gid = off if it is not set, we may not be able to operate the files in the directory of our server website. for example, we need
During file operations.

(3) main directory for executing programs in safe mode

If security mode is enabled, but you want to execute some programs, you can specify the main directory of the program to be executed:

Safe_mode_exec_dir = D:/usr/bin

Generally, you do not need to execute any program. Therefore, we recommend that you do not execute the System program directory, which can point to a directory,
Then copy the program to be executed, for example:

Safe_mode_exec_dir = D:/tmp/cmd

However, I recommend that you do not execute any program, so you can point to our webpage Directory:

Safe_mode_exec_dir = D:/usr/www

(4) file inclusion in security mode

If you want to include some public files in safe mode, modify the following options:

Safe_mode_include_dir = D:/usr/www/include/In fact, the files contained in the php script are all written in the program itself, which can be set as needed.

(5) control directories accessible by php scripts

You can use the open_basedir option to control the PHP script to access only the specified directory, so as to avoid PHP script access.
Files that should not be accessed limit the harm of phpshell to a certain extent. we can generally set to only access the website directory:

Open_basedir = D:/usr/www

(6) disable dangerous functions

If the security mode is enabled, the function is not required, but we should consider it for security. For example,
We do not want to execute a php function that includes system () and so on that can execute commands, or can view php information.
Phpinfo () and other functions, we can disable them:

Disable_functions = system, passthru, exec, shell_exec, popen, and phpinfo. if you want to disable operations on any files and directories, you can disable many file operations.

Disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, chgrp, chmod, chown

The above only lists some file processing functions that are not commonly used. you can also combine the preceding command functions with this function,
You can resist most phpshells.

(7) disable PHP version information leakage in the http header

To prevent hackers from obtaining information about the php version on the server, we can disable this information in the http header:

Expose_php = Off. for example, when hackers telnet 80, they will not be able to see the PHP information.

(8) disable registration of global variables

Variables submitted in PHP, including those submitted using POST or GET, are automatically registered as global variables and can be directly accessed,
This is very insecure for the server, so we can disable the register global variable option if we cannot register it as a global variable:
Register_globals = Off
Of course, if this is set, a reasonable way should be used to obtain the corresponding variable, such as getting the variable var submitted by GET,
You need to use $ _ GET ['var'] to obtain it. This php programmer should pay attention to it.

(9) enable magic_quotes_gpc to prevent SQL injection.

SQL injection is a very dangerous problem. in small cases, the website background is intruded, while in heavy cases, the entire server is compromised,

So be careful. Php. ini has a setting:

Magic_quotes_gpc = Off

This is disabled by default. if it is enabled, it will automatically convert the SQL query submitted by the user,
For example, convert 'to' to ', which plays a major role in preventing SQL injection. Therefore, we recommend the following settings:

Magic_quotes_gpc = On

(10) error message control

In general, php prompts an error when it is not connected to the database or in other cases. the common error message will contain the php script when
The preceding path information or the queried SQL statement information is not safe after the information is provided to the hacker. Therefore, it is recommended that the server disable the error prompt:

Display_errors = Off if you want to display the error message, you must set the display error level, for example, only display the warning information:

Error_reporting = E_WARNING & E_ERROR. of course, we recommend that you disable the error prompt.

(11) error log

We recommend that you record the error information after you disable display_errors to find out the reason for running the server:

Log_errors = On also sets the directory where error logs are stored. it is recommended that the logs of the root apache exist together:

Error_log = D:/usr/local/apache2/logs/php_error.log Note: To files, you must allow apache users and groups to have write permissions.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.