PHP Security-configuration options

Configuration options although the focus of this book is on application security, some configuration options must be familiar to any security-related developers. The PHP configuration will affect the behavior of the code you write and the skills you use. it is necessary...

Configuration options

Although this book focuses on application security, some configuration options must be familiar to any security-related developers. The PHP configuration will affect the behavior of the code you write and the skills you use. if necessary, you need to take a little responsibility for anything other than the application.

PHP configuration is mainly specified by a file named php. ini. This file contains many configuration options, each of which has a very specific impact on PHP. If the file does not exist or an option in the file does not exist, the default value is used.

If you do not know the location of the php. ini file, you can use phpinfo () to define the path of the file in PHP:

The sixth line (configuration file (php. ini) path) shown in the A-1 shows the complete path of php. ini. If only the path (no file name) is displayed, this means that PHP cannot find the php. ini file in the path shown in.

This file contains excellent instructions, so you can read this file and select the configuration options that suit you. The manual is more detailed, so when you need more information about a certain option, I recommend that you visit #

Figure A-1. phpinfo () functions can be used for locating php. INI files

A.1. allow_url_fopen

As shown in Chapter 6, the allow_url_fopen option allows you to reference remote resources like local files:

Chapter 5 reveals the risks when it is combined with include or require:

I recommend disabling the allow_url_fopen option unless your application needs it.

A.2. disable_functions

The disable_functions option is very useful and ensures that some potentially threatening functions cannot be used. Although you can establish a specification to prohibit the use of these functions, the restrictions in PHP configuration are much more reliable than the compliance of the standards by developers.

I created a function check for the functions listed in Appendix B to check whether some functions need to be restricted.

A.3. display_errors

PHP error reports help you find errors in your written code. When you develop an application, displaying the error prompt is an effective way to obtain immediate feedback, and can speed up development.

In a product-level application, this line will become a security risk. If an error message is displayed, everyone can know the important information in your application.

In the product, you need to disable the display_errors option.

A.4. enable_dl

The enable_dl option is used to control whether the dl () function takes effect. This function allows PHP extensions to be loaded at runtime.

Using the dl () function may cause attackers to bypass open_basedir restrictions. Therefore, unless necessary, you must disable it in your application.

A.5. error_reporting

Many security vulnerabilities are caused by the use of uninitialized variables or other arbitrary programming methods. By setting the error_reporting option of PHP to E_ALL or E_ALL | E_STRICT, PHP will prompt the above behavior. All of these settings report Notice-level errors.

We recommend that you set error_reporting to at least E_ALL. In development)

A.6. file_uploads

The file_uploads option determines whether to allow file upload. Therefore, if your application does not require users to upload files, disabling this option is the best option.

It is not enough to simply process the uploaded files in PHP code, because before executing your code, PHP has done some work (for example, generating the $ _ FILES array based on the relevant data ).

A.7. log_errors

When log_errors is set to valid, PHP will write all error information to the file specified by error_log configuration options.

When display_errors is set to invalid, it is important to set log_errors to valid; otherwise, you will not be able to see the eye-catching error message.

We recommend that you set log_errors to valid and set the location of the log file in error_log.

A.8. magic_quotes_gpc

Magic_quotes_gpc is a common option to prevent SQL injection. However, for many reasons, including the escape input method, it proves that it is not perfect.

It processes data in $ _ GET, $ _ POST, and $ _ COOKIE using the same rule, that is, the addslashes () function. As a result, it does not process the corresponding escape function selected based on your database.

For two main reasons, you need to set get_magic_quotes_gpc to invalid:

First, it will increase the complexity of your input filtering logic, because it first edits the data before executing your code. For example, you need to filter the input name. The logic is that only letters, spaces, hyphens, and single quotes are allowed. when magic_quotes_gpc takes effect, you must adapt to the name of O \ 'Reilly or use stripslashes () to try to restore it to its original shape. This unnecessary complexity (or less rigorous filtering rules) increases the possibility of errors. Meanwhile, defects in your input filtering mechanism will inevitably lead to security vulnerabilities.

Secondly, it does not use the corresponding escape function for processing based on your database. In this way, because it can resist some low-level or occasional attacks, it masks the fact that it is a bad filtering or escape mechanism, thus leaving a security vulnerability, this makes your application unable to resist more complex attacks, such as attacks against character sets.

A.9. memory_limit

To prevent poorly written scripts from occupying all available memory, you can use the memory_limit option to limit the maximum memory usage (in bytes or abbreviated format, such as 8 m ).

Although the best value is related to the running application, I recommend that you use the default value of 8 M in most cases.

The memory_limit option takes effect only when the enable-memory-limit mode is specified in PHP.

A.10. open_basedir

The open_basedir option limits PHP to open files only in the directory it specifies. Although it cannot replace correct input filtering, this option can reduce attacks by using file system functions such as include and require.

The value of this option is used as a prefix. Therefore, when you want to specify a directory, be careful not to miss the last Slash:

open_basedir = /path/to/

Tips

Make sure that the enable_dl option is disabled. otherwise, open_basedir restrictions may be bypassed.

A.11. register_globals

See chapter 2

A.12. safe_mode

See Chapter 8

The above is the content of PHP Security-configuration options. For more information, see PHP Chinese network (www.php1.cn )!