PHP.ini security settings make your PHP more secure

Source: Internet
Author: User
Tags php script apache log web hosting

PHP with more and more! Security issues are more important! The network is here to share with you how to safely configure the PHP.ini security Configuration One (1) Open PHP Safe Mode PHP security mode is a very important embedded security mechanism, can control some PHP functions, such as system (), while the many file manipulation functions have permission control, Also does not allow files for certain key files, such as/etc/passwd, but the default php.ini is not open in Safe mode, we open it: Safe_mode = ON (2) User group security when Safe_mode is turned on, Safe_mode_gid is turned off,  The PHP script is then able to access the file, and the same group of users can access the file. The recommended setting is: Safe_mode_gid = off if not set, we may not be able to manipulate the files in our server's web directory, such as when we need to manipulate the files. (3) Execute Program home directory in Safe mode if Safe mode is turned on, but it is the time to execute some programs, you can specify the home directory where you want to execute the program: Safe_mode_exec_dir = D:/usr/bin In general, there is no need to perform any program, Therefore, it is recommended not to execute the System program directory, can point to a directory, and then the need to execute the program to copy the past, such as: Safe_mode_exec_dir = D:/tmp/cmd But, I recommend not to execute any program, then you can point to our web directory: Safe_mode _exec_dir = d:/usr/www (4) Safe mode contains files if you want to include some common files in Safe mode, then modify the option: Safe_mode_include_dir = d:/usr/www/include/in fact PHP script The included files are all in the program itself already written, this can be set according to the specific needs. (5) Control the directory that the PHP script can access using the OPEN_BASEDIR option to control the PHP script can only access the specified directory, so as to avoid the PHP script to access the files should not be accessed, to a certain extent limiting the harm of Phpshell, We can generally be set to access only the site Directory: Open_basedir = d:/usr/www (6) Close dangerous function If Safe mode is turned on, then the function prohibition is not necessary, but we consider it to be safe. For example, we do not want to execute PHP functions that include the system () and the ability to execute commands, or to view PHP informationPhpinfo () and so on, then we can disable them: Disable_functions = System,passthru,exec,shell_exec,popen,phpinfo If you want to prohibit any file and directory operations,   Then you can close many file operations Disable_functions = Chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir,  Rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown above is just a list of not commonly used file processing functions, you can also carry out the above command function and this function combined, will be able to resist most of the Phpshell. (7) Close the PHP version of the information in the HTTP header leaks we can close this information in order to prevent the hacker from getting the PHP version of the server in the HTTP header: expose_php = Off For example, when the hacker is in Telnet www.12345.com 80, then Unable to see PHP information. (8) Close registered global variables submitted in PHP, including the use of post or get committed variables, will be automatically registered as a global variable, can be directly accessed, which is very insecure to the server, so we can not register as a global variable, the registration of the global variable option is closed: Register _globals = Off Of course, if this is set, then the corresponding variable should be used in a reasonable way, such as get the variable var of get commit, then use $_get[' var ' to obtain, this PHP programmer should pay attention to. (9) Open MAGIC_QUOTES_GPC to prevent SQL injection SQL injection is a very dangerous problem, small site background was invaded, heavy the entire server fell, so must be careful. There is a setting in php.ini: MAGIC_QUOTES_GPC = Off is off by default, and if it is turned on, it will automatically convert the user to the SQL query, such as ' turn to \ ', which has a significant effect on preventing SQL injection. So we recommend setting to: MAGIC_QUOTES_GPC = ON (10) error message control generally PHP is not connected to the database or otherwise, there will be a prompt error, the general error message will contain the PHP script current path information or query SQL statements, etc.Information, this type of information is not secure after it is provided to the hacker, so the general server recommends that you suppress the error prompt: Display_errors = Off If you are trying to display an error message, be sure to set the level of display errors, such as displaying only the warning message: error_reporting = E_warning & E_error Of course, I recommend turning off the error prompt. (11) The error log suggests that the error message can be logged after shutting down the display_errors, which makes it easy to find the reason for the server to run: Log_errors = On also set the directory where the error log resides, suggesting that the root Apache log exists together: Error_log =  D:/usr/local/apache2/logs/php_error.log Note: Giving files must allow Apache users and groups to have write permissions. MySQL down right run new build a user such as Mysqlstart net user Mysqlstart ****microsoft/add net localgroup users Mysqlstart/del does not belong to any group if m  Ysql installed in D:\mysql, then, give Mysqlstart Full control of the permissions then set in the system service, MySQL service properties, in the login properties, select this user Mysqlstart and then enter the password, OK.  Restart the MySQL service, and then MySQL runs under low authority.  If the Apache is built under the WinDOS platform, we also need to note that Apache default operation is the system permissions, which is very scary, it makes people feel very uncomfortable. So let's give Apache permission to drop it.  NET user Apache ****microsoft/add net localgroup users apache/del OK. We have created an apche that is not part of any group.  We open the Computer Manager, select the service, point to the properties of the Apache service, we choose Log on, select the account, we fill in the accounts and passwords established above, restart the Apache service, Ok,apache run under the low authority.  In fact, we can also set individual folder permissions, so that Apache users can only do what we want it to do, to each directory to create a separate read and write users. This is also a popular configuration method for many current web hosting providers, but this method is used to prevent this from being apparentIt's a bit overqualified. Security Configuration Two describes the basic configuration process for iis+mysql+php and the basic permissions settings for Windows. In this section we need to discuss the security configuration of PHP as well as the security configuration of the Web directory, as well as the abnormal security configuration of IIS.  Let me just say a few words here. Our ultimate goal is that the Web site only run PHP, does not support ASP does not support ASP, so that a specific directory or sub-site can not execute PHP script, sample directory, we set it to not run PHP, so even if your site is "hacker" login backstage, can upload files.  But in the end he couldn't carry out the Webshell. Even if he gets the Webshell, he can't read the directory or the file, and he can't execute the command. In other words, the powerful Webshell in the hands of hackers do not have any use of value, so that hackers eventually directly mad and die. Actually do this is not very difficult, follow my footsteps to it. After completing this article you will be able to complete such a perverted server configuration independently. I. php.ini file configuration Why do we put php.ini on the front, because our web site is PHP, so many of the default options are unsafe.  There are a lot of opportunities for hackers to take advantage of, so the first step we have to set the php.ini, so that can prevent the general script hacker attack. Let's begin by understanding some of the basic concepts of php.ini. whitespace characters and lines beginning with semicolons are simply ignored. The format of the instruction is as follows: directive = value instruction name (directive) is case sensitive! So "Foo=bar" is different from "Foo=bar". Value can be: 1. Quoted string (eg: "foo") 2. A number (integer or floating point, such as: 0,1,34,-1,33.55) 3. A PHP constant (for example: E_ALL,M_PI) 4. An INI constant (on,off,none)                AC qq:2881064157 5. An expression (such as: E_all & ~e_notice)

Another is to set the Boolean value, 1 is on is on, 0 is off is off. PHP.ini a lot of parts, such as: module section, PHP Global configuration, database configuration, and so on. 1 shows an example of a basic php.ini. After understanding the basic concepts, we can start the Metamorphosis tour.

PHP.ini security settings make your PHP more secure

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.