How to Set PHP. ini to make your PHP safer

Source: Internet
Author: User
Provides various official and user-released code examples and code reference. You are welcome to learn how to set up PHP. ini to make your PHP more secure.

Php is increasingly used! Security issues are even more important! This section describes how to configure php. ini for security.

Security Configuration 1

(1) Enable the php security mode
The security mode of php is a very important embedded security mechanism that can control some php functions, such as system (),
At the same time, many file operation functions are subject to permission control, and files of some key files are not allowed, such as/etc/passwd,
However, the default php. ini mode does not enable the security mode. Open it:
Safe_mode = on

(2) user group security
When safe_mode is enabled and safe_mode_gid is disabled, the php script can access the file and
Group users can also access files.
Recommended settings:
Safe_mode_gid = off
If you do not set it, we may not be able to operate the files under the website directory of our server. For example, we need
During file operations.

(3) Main directory for executing programs in Safe Mode
If security mode is enabled, but you want to execute some programs, you can specify the main directory of the program to be executed:
Safe_mode_exec_dir = D:/usr/bin
Generally, you do not need to execute any program. Therefore, we recommend that you do not execute the system program Directory, which can point to a directory,
Then copy the program to be executed, for example:
Safe_mode_exec_dir = D:/tmp/cmd
However, I recommend that you do not execute any program, so you can point to our webpage directory:
Safe_mode_exec_dir = D:/usr/www

(4) file inclusion in Security Mode
If you want to include some public files in safe mode, modify the following options:
Safe_mode_include_dir = D:/usr/www/include/
In fact, the files contained in the php script are all written in the program itself, which can be set as needed.

(5) control directories accessible by php scripts
You can use the open_basedir option to control the PHP script to access only the specified directory, so as to avoid PHP script access.
Files that should not be accessed limit the harm of phpshell to a certain extent. We can generally set to only access the website directory:
Open_basedir = D:/usr/www

(6) Disable dangerous functions
If the security mode is enabled, the function is not required, but we should consider it for security. For example,
We do not want to execute a php function that includes system () and so on that can execute commands, or can view php information.
Phpinfo () and other functions, we can disable them:
Disable_functions = system, passthru, exec, shell_exec, popen, phpinfo
If you want to disable operations on any files and directories, you can disable many file operations.
Disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir,

Rmdir, rename, file, file_get_contents, fputs, fwrite, chgrp, chmod, chown
The above only lists some file processing functions that are not commonly used. You can also combine the preceding command functions with this function,
You can resist most phpshells.

(7) Disable PHP version information leakage in the http Header
To prevent hackers from obtaining information about the php version on the server, we can disable this information in the http header:
Expose_php = Off
For example, when hackers telnet 80, they will not be able to see the PHP information.

(8) Disable registration of global variables
Variables submitted in PHP, including those submitted using POST or GET, are automatically registered as global variables and can be directly accessed,
This is very insecure for the server, so we can disable the register global variable option if we cannot register it as a global variable:
Register_globals = Off
Of course, if this is set, a reasonable way should be used to obtain the corresponding variable, such as getting the variable var submitted by GET,
You need to use $ _ GET ['var'] to obtain it. This php programmer should pay attention to it.

(9) Enable magic_quotes_gpc to prevent SQL injection.
SQL injection is a very dangerous problem. In small cases, the website background is intruded, while in heavy cases, the entire server is compromised,
So be careful. Php. ini has a setting:
Magic_quotes_gpc = Off
This is disabled by default. If it is enabled, it will automatically convert the SQL query submitted by the user,
For example, convert 'to \' to prevent SQL injection. Therefore, we recommend the following settings:
Magic_quotes_gpc = On

(10) error message control
In general, php prompts an error when it is not connected to the database or in other cases. The common error message will contain the php script when
The preceding path information or the queried SQL statement information is not safe after the information is provided to the hacker. Therefore, it is recommended that the server disable the error prompt:
Display_errors = Off
If you want to display the error information, you must set the Display error level. For example, only the warning information is displayed:
Error_reporting = E_WARNING & E_ERROR
Of course, we recommend that you disable the error message.

(11) Error Log
We recommend that you record the error information after you disable display_errors to find out the reason for running the server:
Log_errors = On
At the same time, you must set the directory where error logs are stored. It is recommended that the logs of the root apache exist together:
Error_log = D:/usr/local/apache2/logs/php_error.log
Note: You must grant write permissions to apache users and groups.

MYSQL downgrading operation
Create a user, such as mysqlstart
Net user mysqlstart ***** microsoft/add
Net localgroup users mysqlstart/del

Does not belong to any group
If MYSQL is installed in d: \ mysql, grant full control of MYSQL start.
Then, set the MYSQL service attribute in the system service. In the logon attribute, select this user mysqlstart and enter the password to confirm.
Restart the MYSQL service and MYSQL runs under low permissions.
If you build apache on the windos platform, note that apache runs with the system permission by default,
This is terrible, and it makes people feel uncomfortable. Let's drop apache permissions.

Net user apache **** microsoft/add
Net localgroup users apache/del

OK. We have created a user apche that does not belong to any group.
Open the computer manager, select a service, click the apache service attribute, Select log on, select this account, and fill in the created

Account and password,
Restart the apache service. OK. apache runs under low permissions.
In fact, we can also set permissions for each folder so that apache users can only execute what we want it to do, and create

Users that can be read and written separately.
This is also a popular configuration method for many VM providers. However, this method is used to prevent minor usage.

Security Configuration 2

This section describes the basic configuration process of IIS + MySQL + PHP and the basic permission settings for Windows. In this part, we need to discuss the security configuration of php and the Web object.

Of course, the IIS abnormal security configuration is required. Let me talk a few things.
Our final goal is that the Web site only runs php, does not support asp and does not support, so that the specific directory or sub-site cannot execute php scripts, for example

Directory, we set it to unable to run php, so that even if your website is "Hacked" to log on to the background, you can upload files. But in the end, he cannot execute

Even if webshell is obtained, it cannot read directories or files and execute commands. In other words, a powerful webshell is not owned by hackers.

The use of value, so that hackers will eventually go crazy and die. Haha! In fact, it is not very difficult to do this. follow my steps. After learning this article, you can be independent.

To complete the abnormal server configuration.

I. abnormal configuration of the php. ini file

Why do we put php. ini at the beginning? Because our Web site is php, many default options are insecure. Left the hacker

There are a lot of opportunities to take advantage of, so the first step is to make the php. ini settings more abnormal, so as to prevent attacks by General script hackers.
First, let's take a look at some basic concepts of php. ini. Blank characters and rows starting with semicolons are ignored. The command format is as follows:

Directive = value command name (directive) is case sensitive! Therefore, "foo = bar" is different from "FOO = bar ". The value can be:

1. A string defined by quotation marks (for example, "foo ")
2. A number (integer or floating point number, for example, 0, 1, 34,-1, 33.55)
3. a PHP constant (for example, E_ALL, M_PI)
4. An INI constant (On, Off, none)
5. An expression (for example, E_ALL &~ E_NOTICE)

Another option is to set a Boolean value. If 1 is On, it is enabled. If 0 is Off, It is disabled. Php. ini is divided into many parts, such as module and global configuration of php.

Configuration, database configuration, and so on.


AD: truly free, domain name + VM + enterprise mailbox = 0 RMB

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.