[Go] Top ten PHP excellent security practices

Source: Internet
Author: User
Tags php error
[Goto] Top Ten best security practices for PHP
PHP is widely used in various web development. There are a variety of problems when the server-side script is misconfigured. Today, most Web servers are run in a Linux-based environment (e.g. Ubuntu,debian, etc.). This article cited the top ten best security practices for PHP, allowing you to easily and securely configure PHP.



PHP Security Settings Tips:

Reference

DocumentRoot:/var/www/
Default Web Server:apache

Default PHP configuration file:/etc/php.ini

Default PHP Extensions config directory:/etc/php.d/

Our sample PHP security config file:/etc/php.d/security.ini (you need to the create this file using a text editor)

Operating Systems:ubuntu (The instructions should work with any other Linux distributions such as Rhel/centos/fedora or other Unix-like operating systems such as Openbsd/freebsd/hp-ux).



1. Reduce PHP built-in modules

To enhance performance and security, it is highly recommended to reduce the modules in PHP. Take a look at the following module, which was installed by the command.

# php–m
You will get a similar result:

Reference

[PHP Modules]
Apc
Bcmath
bz2
Calendar
Core
CType
Curl
Date
Dom
Ereg
Exif
FileInfo
Filter
Ftp
Gd
GetText
Gmp
Hash
Iconv
Imap
Json
Libxml
Mbstring
Memcache
Mysql
Mysqli
Openssl
Pcntl
Pcre
Pdo
Pdo_mysql
Pdo_sqlite
Phar
ReadLine
Reflection
Session
Shmop
SimpleXML
Sockets
Spl
Sqlite3
Standard
Suhosin
Tokenizer
Wddx
Xml
XmlReader
Xmlrpc
XmlWriter
Xsl
Zip
Zlib
[Zend Modules]
Suhosin


Delete a module and execute this command. Example: Deleting a module sqlite3

Reference

# Rm/etc/php.d/sqlite3.ini


Or

Reference

# mv/etc/php.d/sqlite3.ini/etc/php.d/sqlite3.disablerestrict


2. Minimizing PHP Information disclosure

In the default PHP, a line is generated in each response, such as x-powered-by:php/5.2.10, at the HTTP header. And this creates a very valuable message for the attacker in the system information.

HTTP Example:
Reference


http/1.1 OK
x-powered-by:php/5.2.10
content-type:text/html; Charset=utf-8
Vary:accept-encoding, cookies
X-vary-options:accept-encoding;list-contains=gzip,cookie;string-contains=wikitoken;
String-contains=wikiloggedout;string-contains=wiki_session
Last-modified:thu, Geneva 22:32:55 GMT


...
Therefore, we strongly recommend that you prohibit the disclosure of PHP information, want to prohibit it, we want to edit/etc/php.d/secutity.ini, and set the following command:

Reference

Expose_php=off


3. Minimizing PHP loading modules

By default, all modules that are loaded by Rhel can be found in the/etc/php.d/directory. To disable or enable a specific module, simply note the module name in the configuration file/etc/php.d/directory. In order to optimize PHP performance and security, we strongly recommend that you enable extended functionality when your application needs it. For example: When you disable the GD extension, type the following command:

Reference

# cd/etc/php.d/

# MV Gd.{ini,disable}

#/etc/init.d/apache2 Restart


In order to extend the PGP GD module, then type the following command:

Reference

# MV Gd.{disable,ini}

#/sbin/service httpd Restart


4. Log PHP error messages

To improve the security of your system and Web applications, PHP error messages cannot be exposed. To do this, you need to edit the/etc/php.d/security.ini file and set the following directives:

Reference

Display_errors=off


All PHP error messages should be recorded in the log in order to facilitate bug fixes by developers.

Reference

Log_errors=on

Error_log=/var/log/httpd/php_scripts_error.log



5. Disabling Remote code Execution

If you are remotely executing code, allow PHP code to retrieve data from remote functions such as FTP or the Web through PHP to perform the build function. For example: file_get_contents ().

Many programmers use these features to get data remotely via FTP or HTTP protocols. However, this approach creates a large vulnerability in PHP-based applications. The vulnerability was injected when a security vulnerability was opened and code was created because most programmers did not have the proper filtering capabilities to deliver the user-supplied data. To resolve this issue, you need to disable _url_fopen In/etc/php.d/security.ini and set the following command:

Reference

Allow_url_fopen=off


In addition to this, I also recommend disabling _url_include to improve the security of your system.

Reference

Allow_url_include=off


6. Disable the dangerous function in PHP

There are many dangerous built-in features in PHP that could crash your system if used improperly. You can create a list of PHP built-in features by editing/etc/php.d/security.ini to disable it.

Reference

Disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file, Show_source


7. Resource Control

To improve the stability of the system, it is highly recommended to set the time each script takes to parse the request data and the maximum amount of memory that the script may consume. Proper configuration of these parameters prevents any PHP script from consuming too much resources or memory, thereby avoiding system insecurity or reducing the safety factor.

Reference

# Set in seconds

Max_execution_time = 30

Max_input_time = 30

Memory_limit = 40M



8. Restrict php access to the file system

The directory specified by the OPEN_BASEDIR directive is a feature that allows PHP access to use fopen (). If any script attempts to access a path file beyond the Open_basdir definition, PHP will refuse to open it. It is important to note that you cannot use a symbolic link as a workaround.
Reference


; Limits the PHP process from accessing files outside
; of specifically designated directories such as/var/www/html/
Open_basedir= "/var/www/html/"
; ------------------------------------
; Multiple Dirs Example
; Open_basedir= "/home/httpd/vhost/cyberciti.biz/html/:/home/httpd/vhost/nixcraft.com/html/:/home/httpd/vhost/theos.in/html/"
; ------------------------------------


9. restricting File/directory Access

Make the appropriate security settings: Make sure Apache runs as a non-root user, such as www-data or www. For files and directories under/var/www/also belong to non-root users. To change the owner, execute the following command:
Reference


# Chown-r apache:apache/var/www/


10. Compile the configuration file to protect apache,php and MySQL

To compile the protection configuration file using the CHARRT command
Reference


# chattr +i/etc/php.ini

# chattr +i/etc/php.d/*

# chattr +i/etc/my.ini

# chattr +i/etc/httpd/conf/httpd.conf

# chattr +i/etc/


Use the CHARRT command to compile a directory that protects PHP files or/var/www/html in files:

Reference

# chattr +i/var/www/html/file1.php

# chattr +i/var/www/html/


(Note: This article is compiled by Xiameng, reproduced please indicate the source.) )

Chinese Source: http://sd.csdn.net/a/20120130/311203.html
English Source: Http://www.ansoncheung.tk/articles/top-10-php-best-security-practices-sys-admins
  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.