Home>Article>Backend Development> How does php prevent sql injection attacks?

How does php prevent sql injection attacks?

王林
王林 Original
2019-09-16 13:05:27 3001browse

How does php prevent sql injection attacks?

Configuration on the server side

Security, writing PHP code is one aspect, and PHP configuration is very critical.
We installed PHP manually. The default configuration file of PHP is in /usr/local/apache2/conf/php.ini. Our most important thing is to configure the content in php.ini so that we can execute PHP more safely. The security settings in the entire PHP are mainly to prevent attacks from phpshell and SQL Injection. Let’s discuss it slowly. We first use any editing tool to open /etc/local/apache2/conf/php.ini. If you install it in other ways, the configuration file may not be in this directory.

(1) Turn on PHP’s safe mode
php’s safe mode is a very important built-in security mechanism that can control some functions in PHP, such as system(), At the same time, the permissions of many file operation functions are controlled, and certain key files are not allowed, such as /etc/passwd. However, the default php.ini does not open the safe mode. Let's open it:

safe_mode = on

(2) User group security
When safe_mode is turned on, safe_mode_gid is turned off, then the php script can access the file, and users in the same group can also access the file .
It is recommended to set it to:

safe_mode_gid = off

If you do not set it, we may not be able to operate the files in our server website directory, such as when we need to operate files.

(3) Home directory for executing programs in safe mode
If safe mode is turned on, but you want to execute certain programs, you can specify the program to be executed. Main directory:

safe_mode_exec_dir = D:/usr/bin

Generally, there is no need to execute any program, so it is recommended not to execute the system program directory. You can point to a directory and then copy the program that needs to be executed, such as:

safe_mode_exec_dir = D:/tmp/cmd

However, I recommend not to execute any program, then you can point to our web page directory:

safe_mode_exec_dir = D:/usr/www

(4) Include files in safe mode
If you want to include some public files in safe mode, then modify the options:

safe_mode_include_dir = D:/usr/www/include/

In fact, generally the files included in php scripts have been written by the program itself. This It can be set according to specific needs.

(5) Control the directories that PHP scripts can access
Use the open_basedir option to control that PHP scripts can only access specified directories, which can prevent PHP scripts from accessing directories that should not be accessed The accessed files limit the harm of phpshell to a certain extent. We can generally set it to only access the website directory:

open_basedir = D:/usr/www

(6) Turn off dangerous functions
if If the safe mode is turned on, function prohibition is not necessary, but we still consider it for safety's sake. For example, if we feel that we do not want to execute PHP functions that can execute commands, including system(), or phpinfo() and other functions that can view PHP information, then we can prohibit them:

disable_functions = system,passthru,exec,shell_exec,popen,phpinfo

If you want to prohibit any file and directory operations, you can close many file operations.

disable_functions = chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,copy,mkdir, rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown

The above only lists some of the commonly used file processing functions. You can also combine the above execution command function with this function to resist most phpshells.

(7) Close the leakage of PHP version information in the http header
In order to prevent hackers from obtaining the PHP version information in the server, we can close the leakage of the information in the http header In the header:

expose_php = Off

For example, when a hacker telnet www.12345.com 80, he will not be able to see the PHP information.
(8) Turn off registration of global variables
Variables submitted in PHP, including variables submitted using POST or GET, will be automatically registered as global variables and can be accessed directly. This is The server is very unsafe, so we cannot let it be registered as a global variable, so we turn off the registration global variable option:

register_globals = Off

Of course, if it is set like this, then you must use it when getting the corresponding variable. Reasonable methods, such as obtaining the variable var submitted by GET, then use $_GET['var'] to obtain it. PHP programmers should pay attention to this.
(9) Turn on magic_quotes_gpc to prevent SQL injection
SQL injection is a very dangerous problem. It can cause the website backend to be invaded, or the entire server to fall, so be careful. There is a setting in php.ini:

magic_quotes_gpc = Off

This is turned off by default. If it is turned on, it will automatically convert user-submitted SQL queries, such as converting ' to \', etc. It plays a significant role in preventing sql injection. Therefore, we recommend setting it to:

magic_quotes_gpc = On

(10) Error message control
Generally, PHP will prompt an error when it is not connected to the database or under other circumstances. General error messages It will contain the current path information of the php script or the query SQL statement. This type of information is not safe after being provided to hackers, so it is generally recommended that the server disable error prompts:

display_errors = Off

If you But if you want to display error information, you must set the level of error display, for example, only display information above warning:

error_reporting = E_WARNING & E_ERROR

当然,我还是建议关闭错误提示。
(11) 错误日志
建议在关闭display_errors后能够把错误信息记录下来,便于查找服务器运行的原因:

log_errors = On

同时也要设置错误日志存放的目录,建议根apache的日志存在一起:

error_log = D:/usr/local/apache2/logs/php_error.log

注意:给文件必须允许apache用户的和组具有写的权限。
MYSQL的降权运行
新建立一个用户比如mysqlstart

net user mysqlstart fuckmicrosoft /add net localgroup users mysqlstart /del

不属于任何组
如果MYSQL装在d:\mysql ,那么,给 mysqlstart 完全控制 的权限
然后在系统服务中设置,MYSQL的服务属性,在登录属性当中,选择此用户 mysqlstart 然后输入密码,确定。
重新启动 MYSQL服务,然后MYSQL就运行在低权限下了。
如果是在windos平台下搭建的apache我们还需要注意一点,apache默认运行是system权限
这很恐怖,这让人感觉很不爽.那我们就给apache降降权限吧。

net user apache fuckmicrosoft /add net localgroup users apache /del

ok.我们建立了一个不属于任何组的用户apche。
我们打开计算机管理器,选服务,点apache服务的属性,我们选择log on,选择this account,我们填入上面所建立的账户和密码,
重启apache服务,ok,apache运行在低权限下了。
实际上我们还可以通过设置各个文件夹的权限,来让apache用户只能执行我们想让它能干的事情,给每一个目录建立一个单独能读写的用户。
这也是当前很多虚拟主机提供商的流行配置方法哦,不过这种方法用于防止这里就显的有点大材小用了。

推荐视频教程:PHP视频教程

The above is the detailed content of How does php prevent sql injection attacks?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn