Setting PHP environment in WIN to prevent PHP Trojans

1. Prevent PHP trojans from redirecting to other directories

We can lock the website directory in the PHP environment so that it cannot jump out of the specified directory. There are two ways to set
First, you can set it in the http. conf file. If your website directory is E: yourwebhome, you can add php_admin_value open_basedir E: yourwebhome in the http. conf file.
Second, you can set it in the php. ini file, find openbase_dir, and remove the semicolon before it, and change it to open_basedir = "E: yourwebhome"
If you are interested in the two methods, you can find the relevant information. I personally think it is still the second one. by the way, the second one is not affected by safe_mode. I suggest using the second one, I have found the relevant information and I have not distinguished the differences between the two settings. If you have any opinions on this, please discuss thx.
Set allow_url_fopen in php. ini to off to disable remote file use.

2. Prevent PHP trojans from executing system commands

The methods for executing system commands in PHP generally call the following functions: passthru, exec, shell_exec, system
Many people simply turn safe_mode on and think it is safe. In fact, because each apache version is different, there are multiple methods to bypass safe_mode, for example, the imap function written in XY7 at the beginning of this year (the imap function is disabled by default), and the latest method to bypass safe_mode, such as the errorlog method to bypass safe_mode, if you are interested, you can find the relevant information on the Internet. There are a lot of methods to bypass. Based on the above, after safe_mode is disabled, php is still available. in ini, modify the following:
Disable_functions = passthru, exec, shell_exec, system

3. Disable Error Message

After changing the above, we also need to change the incorrect choice, display_errors = Off, which can be opened during the degree test. After the program is officially released, we strongly recommend that it be disabled.
Magic_quotes_gpc = On, which is open by default. The quotation marks in get, post, and cookie are converted into slashes, for example, the value (Its "PHP! ") Is automatically converted to (Its" PHP! ") If you do not want to convert it to" ", you can set it to open in magic_quotes_sybase = On, and then convert the single quotation marks into double quotes. This can be used as a false positive.

4. Disable upload

In PHP. the settings related to the upload in the INI file are advantageous and unfavorable. You can see how to use them. For example, file_uploads = On is enabled by default, which supports http upload, if you want to avoid the Upload Vulnerability and enable it to upload a PHP Trojan, you can turn it Off. However, other related http uploads won't work, so you can use the permission.

5. system permission settings

Apache runs as a system in windows. In this case, you can create a user group with the basic permissions, open the "service", and find the apache service, replace the system permission with a low-Permission user, and finally set the relevant file permissions on the WEB. For example, set some folders to writable and others to read-only. depending on the actual situation.

6. Miscellaneous

At present, there are still a lot of function settings that have not been fully understood. In Learning ING, today we met a server, all of which use the default one, and there are more than N Trojans in it, the server environment does not have anti-virus software, so we use the ** Super invincible PHP Trojan killer. If that Dongdong can customize keywords, it will be fine.
Finally, I would like to thank my friends who helped me today, handsome guy XY7, Jianxin, MX, and alpha.