Some common security configuration methods in php. ini _ PHP Tutorial

Common security configuration methods in php. ini. This article introduces how to make some common security configurations in php. ini. For more information, see. (1) open the php Security mode. The php Security mode is a very important article about how to use php. ini to do some common security configuration, you can refer.

(1) enable the php Security mode

The security mode of php is a very important embedded security mechanism that can control some functions in php, such as system () and control permissions for many File operation functions, files with certain keyword files, such as/etc/passwd, are not allowed, but the default php. ini does not enable the security mode. let's open it:

Safe_mode = on

(2) User Group Security

When safe_mode is enabled and safe_mode_gid is disabled, php scripts can access files and users in the same group can also access the files. Users in the same group can also access files.

Recommended settings:

Safe_mode_gid = off

If you do not set it, you may not be able to operate the files under the website directory of our server, for example, when you need to operate the files.

(3) main directory for executing programs in safe mode

If security mode is enabled, but you want to execute some programs, you can specify the main directory of the program to be executed:

Safe_mode_exec_dir =/usr/bin

Generally, you do not need to execute any program. Therefore, we recommend that you do not execute the System program directory. you can point to a directory and copy the program to be executed. for example:

Safe_mode_exec_dir =/temp/cmd

However, I recommend that you do not execute any program, so you can point to our webpage Directory:

Safe_mode_exec_dir =/usr/www

(4) file inclusion in security mode

If you want to include some public files in safe mode, modify the following options:

Safe_mode_include_dir =/usr/www/include/

In fact, the files contained in the php script are all written in the program itself, which can be set as needed.

(5) control directories accessible by php scripts

You can use the open_basedir option to control that PHP scripts can only access the specified directory. This prevents PHP scripts from accessing files that should not be accessed. This shows the harm of phpshell in some programs, generally, we can set it to only access the website directory:

Open_basedir =/usr/www

(6) disable dangerous functions

If the security mode is enabled, the function is not required, but we should consider it for security. For example, if we do not want to execute clear php functions, including system (), or phpinfo () functions that can view php information, we can disable them:

Disable_functions = system, passthru, exec, shell_exec, popen, phpinfo, escapeshellarg, escapeshellcmd, proc_close, proc_open, dl

If you want to disable operations on any files and directories, you can disable many file operations.

Disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, chgrp, chmod, chown

The above only lists some commonly used file processing functions. you can also combine the preceding command functions with this function to resist most phpshells.

(7) disable php version information leakage in the http header

To prevent hackers from obtaining information about the php version on the server, we can disable the information from being leaked in the http header:

Expose_php = off

For example, when hackers telnet www.girlcoding.com: 80, they will not be able to see the PHP information.

(8) disable registration of global variables

Variables submitted in PHP, including those submitted using POST or GET, will be automatically registered as global variables for direct access, which is very insecure for the server, therefore, if we cannot register it as a global variable, we disable the register global variable option:

Register_globals = off

Of course, if this is set, a reasonable way should be taken to obtain the corresponding variable, such as getting the variable var submitted by GET, you need to use $ _ GET ['var'] to obtain it. This php programmer should pay attention to it.

(9) enable magic_quotes_gpc to prevent SQL injection.

SQL injection is a very dangerous problem. if the website is compromised in the background, the entire server is compromised. therefore, be careful. Php. ini has a setting:

Magic_quotes_gpc = off

This is disabled by default. if it is enabled, it will automatically convert the SQL query submitted by the user, for example, converting the SQL query into the SQL statement, which has a great effect on preventing SQL injection, therefore, we recommend the following settings:

Magic_quotes_gpc = off

It is difficult to use a program to upload data locally, but it can be used on the server ~ It may also be caused by inheriting the core file of discuz. An error occurred while obtaining the path. later, this parameter was opened and the problem was solved.

(10) error message control

Generally, php prompts an error when it is not connected to the database or in other cases. the error message contains the current path information of the php script or the queried SQL statement, this type of information is insecure when it is provided to hackers. Therefore, we recommend that you disable the following error message on the server:

Display_errors = Off

If you really want to display the error information, you must set the display error level, for example, only display the warning information above:

Error_reporting = E_WARNING & E_ERROR

Of course, we recommend that you disable the error message.

(11) error log

We recommend that you record the error information after you disable display_errors to find out the cause of server running:

Log_errors = On

At the same time, you must set the directory where error logs are stored. it is recommended that the logs of the root apache exist together:

Error_log =/usr/local/apache2/logs/php_error.log

Note: You must allow apache users or groups to write files.

Some common security configurations are made in Composer php. ini. if you need them, refer to them. (1) enable the php Security mode. The php Security mode is very important...