Home > Developer > PHP

PHP security-security mode

Source: Internet
Author: User
Tags safety mode
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
The safety mode PHP safe_mode option aims to solve some of the problems described in this chapter. However, it is not correct in terms of architecture to solve such problems at the PHP level, as described in the PHP Manual (php ....



Security mode

The safe_mode option of PHP aims to solve some problems described in this chapter. However, solving such problems at the PHP level is not correct in terms of architecture, as described in the PHP Manual (#).

When the security mode is effective, PHP checks the owner of the files read (or operated) by the script being executed to ensure that it is the same as the owner of the script. Although this does prevent many examples in this chapter, it does not affect programs written in other languages. For example, a CGI script written in Bash:

 #!/bin/bash   echo "Content-Type: text/plain"  echo ""  cat /home/victim/inc/db.inc


Will the Bash parser care about or even check the configuration strings in the PHP configuration file that enable the security mode? Of course not. Similarly, other languages supported by the server, such as Perl and Python, do not care about this. All examples in this chapter can be easily adapted into other programming languages.

Another typical problem is that the security mode does not deny access to files on the WEB server. This is because a script can be used to create another script, and the new script belongs to the WEB server, so it can access all files belonging to the WEB server:

 ';   file_put_contents($filename, $script);   ?>


The above script creates the following file:


Because the file is created by a Web server, its owner is a Web server (Apache generally runs as a nobody user ):

 $ ls file.php  -rw-r--r--  1 nobody nobody 72 May 21 12:34file.php


Therefore, this script can bypass the security measures provided by many security modes. Even if the security mode is enabled, attackers can display some information, such as session information stored in the/tmp Directory, because these files belong to the Web server (nobody ).

PHP's security mode does play a role. it can be considered as a deep defense mechanism. However, it only provides poor protection, and there are no other security measures in this chapter to replace it.

The above is the content of PHP security-security mode. For more information, see PHP Chinese network (www.php1.cn )!

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
php security php mysql security php 5 3 security rest api security php php soap ws security php security book php security concerns

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More