The security configuration of the PHP system is primary

PHP has a lot of configuration parameters, you can directly access the system and operation directory.
For example, the System command (which allows PHP to access the Linux system directly, do some post-logon operations) in the default PHP-FPM program, is turned off by default.
1.PHP-FPM php.ini View (default PHP directory)
Switch to the/USR/LOCAL/PHP/ETC directory below and you can see the basic configuration of PHP in this directory
If not found, you can use the command to find the statement
Find/usr/local/php-name php.ini
The corresponding location will be listed.
2. Close the running PHP-FPM (the main function is to restart the PHP-FPM, to resolve some crash bugs)
Killall PHP-FPM (shut down all running processes called PHP-FPM)
If you want to start running again
/USR/LOCAL/PHP/SBIN/PHP-FPM (Super Admin command)
3. To prevent the opposite view of PHP version
Expose_php=on (after this is turned on, the attacker will not be able to view PHP version information)
3. When on, you can call system directly (and system similar to include the EXEC command, an output command run results, one does not output the result of running)
System ("PWD");
The PWD command for Linux is called directly.
The command is disabled by default, in the php.ini
Disable_functions = The following can be filled with a large number of forbidden functions, (multiple disabled functions, need to be separated by commas) such as
Disable the Phpinfo () function so that the system cannot view the information for Phpinfo ().
If you want to use the system command, you need to open the Systems Command (the command is not secure, but in the appropriate situation to use can greatly improve efficiency)
4. Some unsafe instructions are turned on, and some configuration is required to restrict their access to directory permissions
Open_basedir=.:/ home/www/
Open_basedir restricts the access directory for the current user. Represents the current directory/home/www for all directories allowed to be accessed beyond the qualified directory, will be directly error
5. In a formal operating environment, a new configuration is required for some of the php.ini (the scope of the effect is only the current PHP script)
Turn off error display
Error_reporting (E_all);
Ini_set (' display_errors ', ' on ');

error_reporting (0);
Ini_set (' display_errors ', ' Off ');
6. Ini_set is useless when Safe_mode is turned on.
Ini_set (' post_max_size ', ' 10M ');
Ini_set (' upload_max_filesize ', ' 8M ');//File Upload max.
Need to be configured in. htaccess (Required setting is allowoverride all)
Php_value upload_max_filesize 8M
Php_value post_max_size 10M
PS: In large-scale project deployment, all environments are unified, generally open security mode, this time is not allowed to change a single PHP configuration parameters (PHP configuration is the operation and maintenance department to determine the configuration, do not allow the programmer to change the operating environment, Can only be done by itself) to complete this function is required. htaccess Configuration

