[Beijing website production] PHP security configuration details
Source: Shangpin China |
Type: website encyclopedia |
Time: October 21, 2011
PHP Security Configuration Details
PHP is undoubtedly a very powerful server-side scripting language, but powerful functions are always accompanied by major dangers. In this chapter, you will learn to use PHP security mode to prevent some potential dangers of PHP.
[Security Mode]
The PHP security mode provides a basically secure shared environment on a PHP open Web server with multiple user accounts. When PHP running on a Web server has security mode turned on, some functions will be completely disabled, and some available functions will be restricted.
[Use secure mode to enforce restrictions]
In security mode, some functions that attempt to access the file system will be restricted. Run the Web server user ID. If you want to operate on a file, you must have access to read or write the file. PHP has no problem implementing this restriction function.
When the security mode is enabled, PHP will check whether the current user is the owner of the target file when trying to read or write a local file. If it is not the owner, the operation will be disabled. (Write permission: under a lower level of file access permission, it may be allowed to read or write files of the system operating system. The PHP security mode prevents you from operating another user's files. Of course, a Web server may be able to access an arbitrary file with global write permission.)
When the security mode is turned on, the functions of the following function list will be restricted:
chdir , move_uploaded_file, chgrp, parse_ini_file, chown, rmdir, copy, rename, fopen, require, highlight_file, show_source, include, symlink, link, touch, mkdir, unlink
Similarly, some functions in PHP extensions will also be affected. (Loading module: dl function will be disabled in security mode. If you want to load an extension, you can only modify the extension option in php. ini and load it when PHP starts)
When the PHP security mode is turned on, the operating system program must be executed in the directory specified in the safe_mode_exec_dir option, or the execution will fail. Even if execution is allowed, it will be automatically passed to the escape shellcmd function for filtering.
The following list of functions executing commands will be affected:
exec, shell_exec, passthru, system, popen
In addition, the back marking operator (`) will also be turned off.
When running in safe mode, the putenv function will be invalid, although it will not cause errors. Similarly, set_time_limit and set_include_path of other functions that try to change PHP environment variables will also be ignored.
[Open Safe Mode]
To turn PHP security mode on or off, use the safe_mode option in php.ini. If you want to activate the security mode for all current users sharing the Web server, just set the configuration option to: safe_mode=On. When the function accesses the file system, it will check the file owner. By default, the user ID of the file owner will be checked. When you can modify the group ID (GID) of the file owner to that specified by the safe_mode_gid option. If you have a shared library file on your system, when you need to include or require, you can use the safe_mode_include_dir option to set your path to ensure that your code works properly. (Include path: If you want to use the safe_mode_include_dir option to include more include paths, you can use the colon to split in Unix/Linux systems and the semicolon to split in Windows, just like the include_path option.) For example, if you want to include files in/usr/local/include/php in security mode, Then you can set the options as: safe_mode_include_dir=/usr/local/include/php If your included files need to be executed, you can set the safe_mode_exec_dir option. For example, if you need the files in the/usr/local/php bin path to be executable, you can set the options as: safe_mode_exec_dir=/usr/local/php bin (executable: if the program you execute is in the/usr/bin directory, you can connect these binary files to the path you specify to be executable under the options). If you want to set some environment variables, Then you can use the safe_mode_allowed_env_vars option. The value of this option is the prefix of an environment variable. The default is to allow environment variables starting with PHP_. If you want to change it, you can set the value of this option. Multiple environment variable prefixes are separated by commas. For example, the following allows the environment variable TZ of the time zone. Modify the value of this option to: safe_mode_allowed_env_vars=PHP_. TZ [Other security features] In addition to the security mode, PHP also provides many other features to ensure PHP security.
[Hide PHP]
You can use the expose_php option in php.ini to prevent the Web server from leaking PHP report information. As follows: expose_php=On By using the entire setting, you can block some attacks from automated scripts against Web servers. Normally, the HTTP header contains the following information: Server: Apache/1.3.33 (Unix) PHP/5.0.3 mod_ssl/2.8.16
OpenSSL/0.9.7c After the expose_php option is turned on, the PHP version information will not be included in the header information above. Of course, users can also see the file extension of. php when visiting the website. If you want to use different file extensions, you need to find the following line in httpd.conf: AddType application/x-httpd. php You can modify. php to any file extension you like. You can specify any number of file extensions, separated by spaces. If you want to use PHP to parse. html and. htm files on the server, you can set the following options: AddType application/x-httpd. html (parse HTML: configure your Web server to use PHP to parse all HTML files, but if non server code also needs PHP to parse, it will affect the server's performance. You can use different extensions for static pages, which can eliminate dependence on the PHP script engine and enhance performance.)
[File system security]
The security mode restricts the script owner to access only his own files, but you can use the open_basedir selection to specify a directory that you must access. If you specify a directory, PHP will deny access to other directories except this directory and its subdirectories. The open_basedir option can work outside of security mode. The file system can only access the/tmp directory, so the setting option is: open_basedir=/tmp [function access control] You can use comma division in the disable_functions option to set function names, then these functions will be closed in the PHP script. This setting can work outside of safe mode. Disable_functions=dl Of course, you can also use the disable_classes option to close access to some classes.
label: Beijing website production High end website construction
Source Statement: This article is original or edited by Shangpin China's editors. If it needs to be reproduced, please indicate that it is from Shangpin China. The above contents (including pictures and words) are from the Internet. If there is any infringement, please contact us in time (010-60259772).
