Reinforce the PHP environment)

Author: Albert
When PHP is running as an Apache module, Apache security plays a leading role. Therefore, if the configuration is correct, PHP should be a very secure environment, however, If PHP runs in CGI mode, it is not so secure.
The operations mentioned in this article are applicable to both Unix and Windows.
1. Run as an Apache module
Generally, Apache runs with "nobody" or "www". Therefore, PHP is safe as a module.
If PHP is in a VM environment, users may be at risk of browsing other user files. A simple script is as follows:
　　
// Assume that the document root is in/usr/local/websites/mydomain
$ Location = ../; // go to the upper-level directory
$ Parent = dir ($ location );
// Display the current directory:/usr/local/websites
While ($ entry = $ parent-> read ()){
Echo $ entry.
;
}
$ Parent-> close ();
?>
In this way, you only need to modify $ location to view all the files of other users on the VM. To reduce this risk, we need to take a look at php. ini and modify the safe_mode, doc_root, and usr_dir parameters to restrict users to their own virtual host environments:
Safe_mode = On
Doc_root =/usr/local/apache/htdocs
User_dir =/home/Albert TXU/htdocs
II. As CGI
You need to be very careful when running PHP in CGI Mode, which may expose information that you do not want to know.
The first thing to note is to place the execution file outside the root directory of the document. For example,/usr/local/bin. Therefore, all CGI files must start:
#! /Usr/local/bin/php
To prevent the user from calling CGI directly, force CGI redirection in Apache:
Action php-script/cgi-bin/php. cgi
AddHandler php-script. php
The following URL
Http://example.com/mywebdir/test.htm
Convert:
Http://example.com/cgi-bin/php/mywebdir/test.htm
When compiling PHP in CGI mode, it is best to use the following options:
-- Enable-force-cgi-redirect
This article discusses the security of PHP. For details about the security, refer to the security
Http://www.php.net/manual/en/security.php
That chapter.