Make your PHP more secure php.ini

 

PHP with more and more! Security issues are even more important! Here to explain if security configuration php.ini   Security Configuration I   (1) Open PHP Safe mode PHP's Safe mode is a very important embedded security mechanism, can control some PHP functions, such as system (), while many file operation functions are right Limited control, also does not allow some key file files, such as/etc/passwd, but the default php.ini is not open safe mode, we turn it on: Safe_mode = on   (2) User group security when the Safe_mode is open, safe_ 　　Mode_gid is closed, the PHP script can access the file, and users of the same group can access the file. The recommended setting is: Safe_mode_gid = off If you do not set up, we may not be able to operate on our server Web site directory, such as when we need to operate the file.   (3) Safe Mode executable Program home directory if Safe mode is open, but it is to execute some programs, you can specify the home directory to execute the program: Safe_mode_exec_dir = D:/usr/bin generally do not need to perform any programs, so push Recommended do not execute the System program directory, you can point to a directory, and then the need to execute the program to copy the past, such as: Safe_mode_exec_dir = D:/tmp/cmd But, I recommend not to execute any program, then you can point to our web directory: Safe_mode_ 　　Exec_dir = d:/usr/www   (4) Safe mode contains files if you want to include some public files in Safe mode, modify the options: Safe_mode_include_dir = d:/usr/www/include/ In fact, the general PHP script contains files are in the program itself has been written, this can be set according to the specific needs.   (5) Control of directory access to PHP scripts using the OPEN_BASEDIR option to control the PHP script can only access the specified directory, so as to avoid PHP script access to the files should not be accessed, to some extent, limit the harm of Phpshell, We can generally set to access only the site Directory: Open_basedir = d:/usr/www   (6) Turn off the danger function if Safe mode is turned on, then the function prohibition isIt can be unwanted, but we have to consider it for security. For example, we don't want to execute PHP functions that can execute commands, including system (), or phpinfo () that can view PHP information, so we can ban them: Disable_functions = System,passthru, Exec,shell_exec,popen,phpinfo If you want to prohibit the operation of any files and directories, then you can turn off many file operations Disable_functions = Chdir,chroot,dir,getcwd,opendir, Readdir,scandir,fopen,unlink,delete,copy,mkdir, Rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod, Chown more than just a list of the most commonly used file processing functions, you can also execute the above command function and this function, you can resist most of the Phpshell.   (7) Turn off PHP version information in HTTP headers in order to prevent hackers from obtaining information about PHP versions in the server, you can turn off the information ramp in HTTP headers: expose_php = off such as hackers in Telnet www.12345.com When you are 80, you will not be able to see the PHP information.   (8) Turn off the Register global variable submitted in PHP variable, including the use of post or get submitted variables, will be automatically registered as a global variable, direct access, which is very unsafe for the server, so we can not let it register as a global variable, the registration of the global variable option to turn off: RE Gister_globals = off of course, if this is set, then the corresponding variable should be taken in a reasonable way, such as getting the variable var of get commit, then use $_get[' var ' to obtain, the PHP programmer to note.   (9) Open MAGIC_QUOTES_GPC to prevent SQL injection is a very dangerous problem, small web site was invaded, heavy the entire server fell, so be sure to be careful. PHP.ini has a setting: MAGIC_QUOTES_GPC = off This default is off, if it is opened will automatically put the user submitted to the SQL query conversion, such as the ' switch to ' etc, this to prevent sqL Injection has a significant effect. So we recommend setting to: MAGIC_QUOTES_GPC = on   (10) Error Message Control general PHP is not connected to the database or other circumstances will be prompted error, the general error message will contain the current path of PHP script information or query SQL statements and other information , this kind of information provides to the hacker, is not safe, therefore the general server recommends to prohibit the error prompt: Display_errors = off If you are to display an error message, be sure to set the level of display error, such as only the message warning above: error_reporting = E _warning & E_error Of course, I recommend that you turn off the error prompts.   (11) The error log recommends that the error message be logged after the display_errors is turned off to make it easier to find out why the server is running: log_errors = On also set the directory where the error log resides, suggesting that the log of the root Apache is present together: E Rror_log = D:/usr/local/apache2/logs/php_error.log Note: The file must allow Apache users and groups to have write permission.   MySQL down right run new build a user such as Mysqlstart net user Mysqlstart ****microsoft/add net localgroup users Mysqlstart/del 　　  does not belong to any group if MySQL is installed in D:\mysql, then give Mysqlstart Full control of the permissions then set in the system services, MySQL service properties, in the login attribute, select this user mysqlstart then enter the password, OK. 　　Restart the MySQL service, and MySQL runs under low privileges. If you are in the WinDOS platform to build Apache we also need to note that the Apache run by default is System permissions, which is very scary, this makes people feel very uncomfortable. Then let's give Apache a drop in privileges. 　　  NET user Apache ****microsoft/add net localgroup users Apache/del   OK. We have established a user apche that does not belong to any group. We open the Computer Manager, select the service, Dot APACHe service properties, we choose Log on, select this account, we fill in the above established accounts and passwords, restart the Apache service, Ok,apache run under low privileges. 　　In fact, we can also set the permissions of each folder so that Apache users can only do what we want it to do, and create a single user who can read and write to each directory. This is also the current popular configuration of many virtual host providers Oh, but this method is used to prevent this is a bit more overqualified.   Security Configuration Two   earlier describes the basic configuration process for iis+mysql+php and the basic permissions settings for Windows. In this section we need to discuss the security configuration of PHP as well as the security configuration of the Web directory, as well as the abnormal security configuration of IIS. 　　I'm going to make a few nonsense here. Our ultimate goal is to run the Web site only PHP, does not support ASP does not support asp.net, so that a specific directory or subsite can not execute PHP script, such as image catalog, we set it to not run PHP, so even if your site was "hackers" log in the background, can upload files. 　　But in the end he was unable to execute Webshell. Even if he gets the Webshell, he can't read the directory or file, and can't execute the command. In other words, the powerful Webshell in the hacker hand does not have any use value, lets the hacker finally directly to go crazy and die. In fact, it is not very difficult to do this, follow my footsteps to come. After learning this article you can independently complete such a perverted server configuration.   php.ini file Abnormal configuration   Why we put php.ini on the front, because our web site is PHP, so many default options are unsafe. 　　Left a lot of opportunities for hackers, so the first step is to have the php.ini set up so that it can stop the attack of a generic script hacker. Let's begin by understanding some of the basic concepts of php.ini. White-space characters and lines starting with semicolons are simply ignored. The format of the instruction is as follows: directive = value Directive Name (directive) is case-sensitive! So "Foo=bar" is different from "Foo=bar". Values (value) can be:   1. A string (such as: "foo"), defined in quotation marks, 2. A number (integers or floating-point numbers, such as: 0,1,34,-1,33.55) 3. A PHP constant (such as: E_ALL,M_PI) 4. An INI constant (on,off,none) 5. An expression such as: E_all & ~e_notice)   Another is to set a Boolean value, 1 is on is open, 0 is off is off. PHP.ini a lot of parts, such as: module section, PHP Global configuration, database configuration, and so on. As shown in Figure 1 is a basic example of php.ini. Once we understand the basic concepts, we can start a psycho-configuration trip.