No matter how old the version of PHP is, there are some problems. For example, there were some serious bugs before php4.3.10 and php5.0.3, so it is recommended to use the new version. In addition, the currently popular SQL Injection can be used in many ways on PHP, so to ensure security, PHP code writing is one aspect, and PHP configuration is very critical.
We installed PHP manually. The default configuration file of PHP is in /usr/local/apache2/conf/php.ini. Our most important thing is to configure the content in php.ini so that we can execute PHP more safely. The security settings in the entire PHP are mainly to prevent attacks from phpshell and SQL Injection. Let’s discuss it slowly. We first use any editing tool to open /etc/local/apache2/conf/php.ini. If you install it in other ways, the configuration file may not be in this directory.
(1) Turn on the safe mode of php
php’s safe mode is a very important built-in security mechanism that can control some functions in php, such as system(),
At the same time, the permissions of many file operation functions are controlled, and certain key files, such as /etc/passwd, are not allowed.
But the default php.ini does not open safe mode, let’s open it:
safe_mode = on
(2) User group security
When safe_mode is turned on, safe_mode_gid is turned off, then the php script can access the file, and it is the same
Users in thegroup can also access the file.
Recommended settings are:
safe_mode_gid = off
If we don’t set it up, we may not be able to operate the files in our server website directory. For example, we need to
When operating on files.
(3) The main directory of the execution program in safe mode
If safe mode is turned on but you want to execute certain programs, you can specify the home directory of the program to be executed:
safe_mode_exec_dir = D:/usr/bin
Generally, there is no need to execute any program, so it is recommended not to execute the system program directory. You can point to a directory,
Then copy the program that needs to be executed, such as:
safe_mode_exec_dir = D:/tmp/cmd
However, I recommend not to execute any program, then you can point to our web directory:
safe_mode_exec_dir = D:/usr/www
(4) Include files in safe mode
If you want to include certain public files in safe mode, then change the options:
safe_mode_include_dir = D:/usr/www/include/
In fact, generally the files included in php scripts have been written in the program itself. This can be set according to specific needs.
(5) Control the directories that php scripts can access
Use the open_basedir option to control the PHP script to only access the specified directory, which can prevent the PHP script from accessing
Files that should not be accessed limit the harm of phpshell to a certain extent. We can generally set it to only access the website directory:
open_basedir = D:/usr/www
(6) Turn off dangerous functions
If safe mode is turned on, function prohibition is not necessary, but we still consider it for safety. For example,
We don’t think we want to execute php functions including system() that can execute commands, or that can view php information
phpinfo() and other functions, then we can ban them:
disable_functions = system,passthru,exec,shell_exec,popen,phpinfo
If you want to prohibit any file and directory operations, you can close many file operations
disable_functions = chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir, rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown
The above only lists some of the commonly used file processing functions. You can also combine the above execution command function with this function,
It can resist most phpshells.
(7) Close the leakage of PHP version information in the http header
In order to prevent hackers from obtaining the PHP version information in the server, we can turn off the information in the http header:
expose_php = Off
For example, when a hacker telnet www.chinaz.com 80, he will not be able to see PHP information.
(8) Close registration of global variables
Variables submitted in PHP, including those submitted using POST or GET, will be automatically registered as global variables and can be accessed directly,
This is very unsafe for the server, so we can’t let it be registered as a global variable, so we turn off the register global variable option:
register_globals = Off
Of course, if this is set, then reasonable methods must be used to obtain the corresponding variables, such as obtaining the variable var submitted by GET,
Then you need to use $_GET[’var’] to get it. PHP programmers should pay attention to this.
(9) Turn on magic_quotes_gpc to prevent SQL injection
SQL injection is a very dangerous problem. In the smallest case, the website backend may be invaded, or in the worst case, the entire server may collapse.
So be careful. There is a setting in php.ini:
magic_quotes_gpc = Off
This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,
For example, converting ' to ', etc., this plays a significant role in preventing SQL injection. So we recommend setting it to:
magic_quotes_gpc = On
(10) Error message control
Generally, PHP will prompt an error when it is not connected to the database or under other circumstances. Generally, the error message will contain a PHP script when
The path information beforeor the query SQL statement and other information are unsafe if provided to hackers, so it is generally recommended that servers disable error prompts:
display_errors = Off
If you want to display an error message, be sure to set the level of display error, for example, only display information above warning:
error_reporting = E_WARNING & E_ERROR
Of course, I still recommend turning off error prompts.
(11) Error log
It is recommended to record the error information after turning off display_errors, so as to find the reason why the server is running:
log_errors = On
At the same time, you must also set the directory where the error log is stored. It is recommended that the root apache log be stored together:
error_log = D:/usr/local/apache2/logs/php_error.log
Note: The file must be given to allow the apache user and group to have write permissions.
MySQL operation with reduced privileges
Create a new user such as mysqlstart
net user mysqlstart ****microsoft /add
net localgroup users mysqlstart /del
Does not belong to any group
If MYSQL is installed in d:mysql, then give mysqlstart full control permissions
Then set the MYSQL service properties in the system service. In the login properties, select this user mysqlstart and enter the password and confirm.
Restart the MYSQL service, and then MYSQL will run with low privileges.
If apache is built on a windos platform, we need to pay attention to one thing. Apache runs with system permissions by default,
This is scary, this makes people feel very uncomfortable. Then let’s lower the permissions of apache.
net user apache ****microsoft /add
net localgroup users apache /del
ok. We created a user apche that does not belong to any group.
We open the computer manager, select services, click on the properties of the apache service, we select log on, select this account, we fill in the account and password created above,
Restart the apache service, ok, apache is running with low permissions.
In fact, we can also set the permissions of each folder so that the apache user can only perform what we want it to do, and create a separate read-write user for each directory.
This is also a popular configuration method used by many virtual host providers. However, this method is overkill when used to prevent this.