Recommended Linux administrators: Top 10 PHP Security points

Source: Internet
Author: User
HtmlPHP is one of the most widely used scripting languages. Market share shows its dominant position. PHP 7 has been released, making this programming language one of the most widely used scripting languages for the moment... PHP. Market share shows its dominant position. PHP 7 has been released. This fact makes this programming language more attractive to current developers. Despite some changes, many developers are skeptical about the future of PHP. One reason is the security of PHP.

Linux administrators should not know the top ten security points of PHP
PHP is one of the most widely used scripting languages. Market share shows its dominant position. PHP 7 has been released. This fact makes this programming language more attractive to current developers. Despite some changes, many developers are skeptical about the future of PHP. One reason is the security of PHP.

PHP Security is a major concern of developers. Although PHP provides reliable security from the inside out, developers need to correctly implement these security mechanisms. In this article, we will introduce several PHP Security points to the Linux administrator. These important points will help you ensure the security of Web applications and ensure normal operation in the long run.

Before we start, it is necessary to understand the system we are dealing. For demonstration purposes, we use Fedora. However, these points should apply to Ubuntu or any other Linux distributions. For more information, see the user manual for your operating system release.

Take a closer look at several key files in our system environment. Your file should be similar or correspond to the following:

Default web server: Apache

DocumentRoot:/var/www/html

PHP configuration file:/etc/php. ini

Extension configuration Directory:/etc/php. d/

Security File:/etc/php. d/security. ini

These techniques protect your website against different types of attacks, such as SQL injection, XSS, cross-site request forgery, eval (), and file upload. You can view a list of common attacks here (https://www.sitepoint.com/top-10-php-security-vulnerabilities.

1. delete unnecessary modules.

PHP comes with the built-in php module. They are useful for many tasks, but not every project needs them. Enter the following command to view the available PHP modules:

# Php-m

Once you view the list, you can delete unnecessary modules. Reducing the number of modules helps improve the performance and security of your Web applications.

2. restrict PHP information leakage.

Critical information exposed on the platform is common. For example, PHP may leak some information, such as the version and the fact that it is installed on the server. This can be achieved through the expose_php command. To prevent leakage, set this command to off in/etc/php. d/security. ini.

Expose_php = Off

If you need to know the version and its status, you only need to run a simple Curl command for the website address to obtain this information.

Curl-I http://www.kubiji.cn/index.php

The preceding command returns the following information:

HTTP/1.1 200 OK

X-Powered-By: PHP/7.0.10

Content-type: text/html; charset = UTF-8

3. disable remote code execution.

Remote code execution is one of the common security vulnerabilities in the PHP security system. By default, remote code execution is enabled on your system. The "allow_url_fopen" command allows the request (require), including (include), or fopen wrappers that recognize URLs, and other functions to directly access the php file. Remote access is implemented through HTTP or FTP, which makes the system unable to defend against code injection security vulnerabilities.

To ensure the security and reliability of your system and stay away from remote code execution, you can set this command to "Off", as shown below:

Allow_url_fopen = Off

Allow_url_include = Off

4. log PHP errors.

Another simple way to enhance Web application security is to not display errors to visitors. This will prevent hackers from endangering the security of the website. You must edit the file in the/etc/php. d/security. ini file.

Display_errors = Off

Now you may want to: After this step is completed, "How can developers debug with the help of no error message ?" Developers can use the log_errors command for debugging. They only need to set the log_errors command to "On" in the security. ini file ".

Log_errors = On

Error_log =/var/log/httpd/php_scripts_error.log

5. reasonably control resources.

Resource control is important to ensure application security. To ensure proper execution and security, you must restrict the execution of PHP scripts. In addition, the time spent on parsing request data should be limited. If the execution time is controlled, other resources such as memory used by the script should also be configured accordingly. All these metrics can be managed by editing the security. ini file.

# Set in seconds

Max_execution_time = 25

Max_input_time = 25

Memory_limit = 30 M

6. disable dangerous PHP functions

PHP is equipped with practical functions for development, but it may also be used by hackers to break into a large number of functions of Web applications. Disabling these functions improves overall security and ensures that you are not affected by dangerous PHP functions.

To solve this problem, you must edit the php. ini file first. Once you enter this file, find the disable_functions command to disable the dangerous functions in it. To do this, you only need to copy/paste the following code.

Disable_functions = exec, passthru,

Shell_exec, system, proc_open, popen, curl_exec,

Curl_multi_exec, parse_ini_file, show_source

You can learn more about disabling dangerous PHP functions here (https://www.eukhost.com/blog/webhosting/dangerous-php-functions-must-be-disabled.

7. upload a file.

If your application does not need to upload any files, disabling the file upload function helps improve security. To prohibit users from uploading files, you only need to edit the security. ini file in the/etc/php. d/directory and set the file_uploads command to OFF.

File_uploads = Off

8. keep the latest version.

Developers work continuously in 24/7 to patch your technology. The same is true for PHP. Since it has an open-source community, patches and corrections are regularly released. The new version also provides security patches for first-day vulnerabilities and other security vulnerabilities. If you focus on application security, always make sure that your PHP solution is the latest version. In addition, the latest patches for other related technologies can ensure maximum security.

9. control access to the file system.

By default, PHP can use functions such as fopen () to access files. The open_basedir Command provides access. First, you must always set the open_basedir command to the/var/www/html directory. Setting it to any other directory causes security problems.

Open_basedir = "/var/www/html /"

10. control the POST size.

Our last PHP Security point is to control the POST size function. The http post function uses the client browser to send data to the Web server. For example, a user may upload a certificate and send it to a Web browser for processing. Everything runs smoothly until one day hackers attempt to send large files to exhaust server resources. This may cause a server crash or slow response. To protect the server from this vulnerability, you need to set the POST size. The POST size can be set in the/etc/php. d/security. ini file.

Post_max_size = 1 k

Conclusion

Security is one of the most important issues for Web developers and Linux administrators. If the above points are adopted, you will certainly be able to enhance the security of the development environment and PHP Web applications. If you think we have missed important content, please leave a message to add it.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.