1, prevent from jumping out of the web directory
First modify httpd.conf, if you only allow your PHP script program to operate in the Web directory, you can also modify the httpd.conf file to restrict the PHP operation path. For example, if your web directory is/usr/local/apache/htdocs, add a few lines to the httpd.conf:
Php_admin_value Open_basedir/usr/local/apache
/htdocs
This way, if the script is to read a file other than/usr/local/apache/htdocs, it will not be allowed, and if the error appears to be turned on, this error will be prompted:
Warning:open_basedir restriction in multiplying. The File is in wrong directory in
/usr/local/apache/htdocs/open.php on line 4
Wait a minute.
2, prevent the implementation of PHP Trojan Webshell
Open Safe_mode,
Set in php.ini
disable_functions= Passthru,exec,shell_exec,system
Choose one or both.
3, prevent PHP Trojan read and write file directory
In php.ini
disable_functions= Passthru,exec,shell_exec,system
followed by the PHP function to process the file
Mainly has
Fopen,mkdir,rmdir,chmod,unlink,dir
Fopen,fread,fclose,fwrite,file_exists
Closedir,is_dir,readdir.opendir
Fileperms.copy,unlink,delfile
is to become
disable_functions= Passthru,exec,shell_exec,system,fopen,mkdir,rmdir,chmod,unlink,dir
, fopen,fread,fclose,fwrite,file_exists
, Closedir,is_dir,readdir.opendir
, Fileperms.copy,unlink,delfile
OK, done, PHP Trojan take we have no way, unfortunately, the use of the text database of those things can not be used.
If you are in the WinDOS platform to build Apache we also need to note that the Apache run by default is System permissions, which is very scary, this makes people feel very uncomfortable. Then let's give Apache a drop in privileges.
NET user Apache Fuckmicrosoft/add
net localgroup users Apache/del
OK. We have established a user apche that does not belong to any group.
We open the Computer Manager, select the service, point Apache Service Properties, we choose Log on, select this account, we fill in the above established accounts and passwords, restart the Apache service, Ok,apache run under low privileges.
In fact, we can set the permissions of each folder so that Apache users can only do what we want it to do, and create a single user who can read and write to each directory. This is also the current popular configuration of many virtual host providers Oh, but this method is used to prevent this is a bit more overqualified.