Interpreting the basic concepts and configuration methods of php.ini _php tutorial

We are learning1. Strings defined in quotation marks (e.g. "foo")

2. A number (integer or floating point, such as: 0,1,34,-1,33.55)

3. A PHP constant (for example: E_ALL,M_PI)

4. One INI constant (on,off,none)

5. An expression (for example: E_all & ~e_notice)

Another is to set the Boolean value, 1 is on is on, 0 is off is off. PHP.ini a lot of parts, such as: module section, PHP Global configuration, database configuration, and so on. After understanding the basic concepts, we can start the Metamorphosis tour.

The first important parameter is register_globals. This configuration affects how PHP receives the arguments passed in, and plainly register_globals means to register as a global variable, so when the parameter is value on, the passed value is directly registered as a global variable directly, and when the value of this parameter is off, We need to get it from a specific array. From www.milw0rm.com a lot of PHP vulnerabilities to see a large part because register_globals is used when on, so it is strongly recommended to modify this parameter to off,php the current highest version of this parameter is the default is off, nothing to say, If you are using an older version, be sure to change it here.

The second important parameter is MAGIC_QUOTES_GPC. If you set MAGIC_QUOTES_GPC to OFF, then PHP will not escape 4 characters ' (single quotes), "(double quotes), (backslash), and null characters, which can cause the server to be injected illegally. However, if you set the MAGIC_QUOTES_GPC to ON, PHP will give $_post,$_get,$_cookie the variables submitted by the above four characters will be added to the anti-skew. This will greatly improve the security of PHP. It is highly recommended to set MAGIC_QUOTES_GPC to on.

The third more important thing is display_errors. Why this parameter is important, because there is no developer who won't make a mistake, PHP's display_errors parameter is to help developers locate and determine these errors. But if the information provided by PHP is known to hackers, it's not good. For example, a Treasury site, because the display_errors is not set up, resulting in a web directory disclosure. This is a very important information for hackers, because many times the infiltration needs to know the Web directory, such as Webshell write and so on. So we strongly recommend that you set this parameter to OFF.

The fourth important parameter is Safe_mode, which is what we often call Safe mode. PHP's security model is a very important embedded security mechanism, can control some functions in PHP, such as System () and other functions, while many file manipulation functions have permission control, and do not allow access to some key files, such as/etc/passwd, but the default PHP.ini is not open safe mode, we turn it on. Safe_mode = on.

The fifth parameter is Open_basedir, the use of the OPEN_BASEDIR option to control the PHP script can only access the specified directory, so as to avoid the PHP script to access the files should not be accessed, to a certain extent limiting the harm of Webshell, We can generally set to access only the site directory (assuming the site Directory is e:test): Open_basedir = e:test The sixth parameter is disable_functions, using Disable_ Functions can limit some functions that are very intimidating to the system.

For example, we see in the first part of the Web page with the Phpinfo () function that you can see the environment variables about PHP, and so on. You can also use functions such as system,exec to execute system commands and so on. Here we recommend filtering the function as follows. Disable_functions = Phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,

Proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,

Popepassthru,stream_socket_server. If you do not understand a function, you can Google search to get the function, and then to determine whether your own server is banned.

The seventh parameter is a COM component. The PHP scripting platform under the Windows platform has a security vulnerability that allows the attacker to use the COM () function to create system components to execute arbitrary commands, even in Safe mode (Safe_mode). The vulnerability occurs because the PHP platform in safe mode, although the system ();p Athru () function is disabled, the com.allow_dcom setting is still true. That an attacker could use the COM () function to create a system component object to run system commands.

An attacker could use this vulnerability to elevate permissions if it is the default Apache setting or if the Web server is running with Loacalsystem or administrators permissions. So we have to shut down the com.allow_dcom. This parameter is true by default, and we need to change this parameter to Com.allow_dcom=false. The eighth parameter is expose_php. This parameter determines whether the exposed PHP is installed on the server. If this parameter is set to ON, then the PHP version will be leaked out. Our recommended value is off.

Basically the parameters we introduced, of course, php.ini also need to configure, most of the settings and security is not related, a large part of the effect of PHP operation (such as optimization) and so on, if you are interested, you can refer to the official PHP manual for specific information. Note: After you modify php.ini, you must restart IIS, or the content you set will not take effect immediately.

http://www.bkjia.com/PHPjc/446345.html www.bkjia.com true http://www.bkjia.com/PHPjc/446345.html techarticle we're studying. 1. A string with a quotation mark (e.g. "foo") 2. A number (integer or floating point, such as: 0,1,34,-1,33.55) 3. A PHP constant (for example, E_ALL,M_PI) 4. One of the ...

