PHP security configuration details. [Security mode] the PHP Security mode provides a basic secure shared environment on a PHP open Web server with multiple user accounts. When a Web server runs in [security mode]
The security mode of PHP provides a basic secure shared environment on a PHP open Web server with multiple user accounts. When PHP running on a Web server opens the safe mode, some functions will be completely disabled and some available functions will be restricted.
[Use security mode to force restrictions]
In safe mode, some function functions that attempt to access the file system will be limited. Run the Web server user id. if you want to operate a file, you must have the permission to read or write the file. to implement this restriction function, PHP is fine.
When security mode is enabled and a local file is read or written, PHP checks whether the current user is the owner of the target file. If it is not the owner, this operation is forbidden. (Write permission: under a lower level of file access permission, files in the operating system may be read or written, the PHP Security mode prevents you from operating another user file. Of course, a Web server may be able to access any file with the global write permission .)
When security mode is enabled, the functions of the following function list will be restricted:
Chdir, move_uploaded_file, chgrp, parse_ini_file, chown, rmdir, copy, rename, fopen, require, highlight_file, show_source, include, symlink, link, touch, mkdir, unlink
Similarly, some PHP extension functions will also be affected. (Loading module: in safe mode, dl functions will be disabled. to load extensions, you can only modify the extension options in php. ini and load them when PHP starts)
When enabling PHP Security mode, you must specify the directory program in the safe_mode_exec_dir option when executing the operating system program. Otherwise, the execution will fail. Even if execution is allowed, it is automatically passed to the escapeshellcmd function for filtering.
The list of functions that execute the following commands will be affected:
Exec, shell_exec, passthru, system, popen
In addition, the back Mark operator (') will also be disabled.
When running in safe mode, although it does not cause errors, the putenv function will be invalid. Similarly, other functions that attempt to change the PHP environment variables set_time_limit and set_include_path will also be ignored.
[Enable security mode]
The safe mode for enabling or disabling PHP is to use the safe_mode option in php. ini. If you want to activate the security mode for all users who share the Web server, you only need to set the configuration option to: safe_mode = On. when the function accesses the file system, the file owner is checked. By default, the user ID of the file owner is checked. when you can modify the group ID (GID) of the file owner to the ID specified by the safe_mode_gid option. If you have a shared library file on your system and you need to include or require, you can use the safe_mode_include_dir option to set your path, ensure that your code works properly. (Include path: If you want to use the safe_mode_include_dir option to include more include paths, you can use colons in Unix/Linux systems like the include_path option, in Windows, use semicolons.) for example, if you want to include files in/usr/local/include/php in safe mode, you can set the options: safe_mode_include_dir =/usr/local/include/php if your included files need to be executed, you can set the safe_mode_exec_dir option. For example, if you need files in the/usr/local/php-bin path to be executable, you can set the options to safe_mode_exec_dir =/usr/local/php-bin (executable: if the program you run is in the/usr/bin directory, you can connect these binary files to the path that can be executed under your specified options.) if you want to set certain environment variables, you can use the safe_mode_allowed_env_vars option. The value of this option is the prefix of an environment variable. the default value is an environment variable starting with PHP _. if you want to change it, you can set the value of this option, use commas to separate the prefixes of multiple environment variables. For example, if the following environment variable TZ is allowed for the time zone, the value of this option is: safe_mode_allowed_env_vars = PHP _. TZ [other security features] except for the security mode, PHP also provides many other features to ensure PHP Security.
[Hide PHP]
You can use the expose_php option in php. ini to prevent Web servers from leaking PHP report information. As shown in the following figure: expose_php = On using the entire configuration, you can block attacks from automatic scripts against Web servers. Generally, the HTTP header contains the following information: Server: Apache/1.3.33 (Unix) PHP/5.0.3 mod_ssl/2.8.16
OpenSSL/0.9.7c after the expose_php option is enabled, the PHP version information will not be included in the header information above. Of course, users can also see the. php file extension when visiting the website. If you want to use different file extensions, you need. find the following line in conf: AddType application/x-httpd. php, you can modify it. php is the extension of any file you like. You can specify multiple file extensions, separated by spaces. If you want to use PHP on the server side for parsing. html and. in the htm file, you set the options as follows: AddType application/x-httpd. html. htm (parse HTML: Configure your Web server to use PHP to parse all HTML files. However, if non-server-side code also requires PHP to parse, it will affect the server performance. For static pages, you can use different extensions to eliminate dependencies on the PHP script engine and improve performance .)
[File system security]
Security mode limits the script owner to access only their own files, but you can use open_basedir to specify a directory that you must access. If you specify a directory, PHP rejects access to other directories except this directory and its subdirectories. The open_basedir option can work in a security mode. Restrict the file system to access only the/tmp Directory. set the option to open_basedir =/tmp [function access control]. you can use commas (,) in the disable_functions option to set the function name, these functions will be disabled in the PHP script. This setting can work beyond the security mode. Disable_functions = dl of course, you can also use the disable_classes option to disable access to some classes.
[Database security]
Suppose your PHP script contains a Mysql Query executed based on the form value: $ SQL = "UPDATE mytable SET col1 = ".
Secure mode: the secure mode of PHP provides a basic secure shared environment on a PHP open Web server with multiple user accounts. When a Web server runs...