Home > Developer > Web Develop
Obviously, Php+mysql+apache is a popular web technology, and this combination is powerful, extensible, and free. However, the default settings for PHP are not as appropriate for websites that are already online. The following changes the default configuration file to enhance the security policy of PHP!
0X01: Disabling the remote URL file processing feature
Like the fopen file handler function, accept the file's Rul parameter (for example: fopen (' http://www.yoursite.com ', ' R ')), which can easily access remote resources, however, this is a very important security threat, Disabling this feature to restrict the file function is a good choice, in the php.ini file, make the following changes:
0x02: Disable registering global variables
PHP in the previous version of 4.2.0, with global variables as input, this function is called register_globals, in the Web application it caused a lot of security problems, because it allows the attacker in some cases easy to manipulate global variables, Fortunately in 4.2.0 This feature is disabled by default, it is very dangerous, regardless of the circumstances to disable this feature. If some scripts require this functionality, there is a potential security threat to the script. Modify Pnp.ini To disable this feature:
Copy CodeThe code is as follows:0x03: Restricting PHP read and write operations
In many web development processes, PHP scripts need to read and write to the local file system, such as/var/www/htdocs/files, in order to enhance security, you can modify the local file read and Write permissions:
0x04:posing Limit
Restricting PHP execution time, memory usage, post, and upload data is the best strategy, and can be configured as follows:
0X05: Disable error messages and enable logging
In the default settings, PHP will output error messages to the browser, which is the most reasonable configuration in the application development process, however, it can also disclose some security information to the user, such as the installation path and user name. In a Web site that has already been developed, it is best to disable the error message and then output the error message to the log file.
Copy CodeThe code is as follows:0x06: Hide php files
If there is no hidden php file, we can get the server PHP version in several ways, for example using: http://www.example.com/script.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
Obviously, we don't want users to get the PHP version of your Web server directly, fortunately, there is a switch in php.ini to disable this feature:
0X07: Safe Mode configuration
In the default case, PHP can be configured as Safe mode, in this mode, Apache prohibit access to files, environment variables and binaries, in safe mode, the biggest problem is that only the owner of the file can access this write PHP file, if there are many developers to jointly develop this program, This setting is impractical, when you need to access a PHP file you need to modify the owner of the file, and another problem is that other programs can not access these PHP files, the following configuration will be able to modify the permissions of the file for the user group rather than a single user.
By enabling Safe_mode_gid, you can access PHP files using this group of Apache. Safe mode is also very effective against the execution of binary files, however, developers want to be able to run some binary files in certain situations. In these special cases, you can put a binary file into a directory, for example (/var/www/binaries), you can do the following settings:
Finally, with the following settings, you can access the server's environment variables and provide a prefix separated by "_" to access only the environment variables with the specified prefix:
Copy CodeThe code is as follows:0x08: Restricting access of public users to files with specific suffix names
For security reasons, many files with specific suffix names cannot be accessed by public users, such as the. inc suffix file, which contains sensitive information, such as MySQL connection information, if not properly configured, then each user can access the configuration file, in order to enhance the security of the site, you need to. The. htaccess file is configured as follows:
0X09: summary
The default configuration for PHP is for developers, and if the site is for a wide range of users, it is recommended that you reconfigure PHP.
Improved PHP Security: 8 PHP Default configurations that must be modified
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
