There is a normal mode and a safe mode in php. Now most users directly use the php normal mode of the application, because many functions are restricted after the safe mode is configured. Let me tell you in detail. Safe mode configuration method.
When safe mode is turned on, the functions of the following function list will be restricted:
chdir, move_uploaded_file, chgrp, parse_ini_file, chown, rmdir, copy, rename, fopen, require, highlight_file, show_source, include, symlink, link, touch, mkdir, unlink
Similarly, some functions in PHP extensions will also be affected. (Loading modules: The dl function will be prohibited in safe mode. If you want to load an extension, you can only modify the extension options in php.ini and load it when PHP starts)
When PHP safe mode is turned on, when you need to execute an operating system program, it must be the program in the directory specified in the safe_mode_exec_dir option, otherwise the execution will fail. Even if execution is allowed, it will automatically be passed to the escapeshellcmd function for filtering.
The following list of functions that execute commands will be affected:
exec, shell_exec, passthru, system, popen
In addition, the back tag operator (`) will also be turned off.
When running in safe mode, although no error will be caused, the putenv function will be invalid. Likewise, other functions such as set_time_limit, set_include_path, etc. that attempt to change PHP environment variables will also be ignored.
1. The application of all input and output functions (such as fopen(), file() and require()) will be restricted and can only be used for files that have the same owner as the script that calls these functions. For example, assuming safe mode is enabled, if a script owned by Mary calls fopen() and attempts to open a file owned by Jonhn, it will fail. However, if Mary owns not only the script that calls fopen(), but also the file that fopen() calls from, it will succeed.
2. If you try to execute a script through the functions popen(), system() or exec(), it is only possible if the script is located in the directory specified by the safe_mode_exec_dir configuration directive.
3. HTTP verification is further strengthened because the UID of the user of the verification script is included in the verification field. Additionally, when safe mode is enabled, PHP_AUTH is not set.
4. If a MySQL database server is used, the user name used to connect to the MySQL server must be the same as the file owner user name calling mysql_connect().
1) Turn on the safe mode of php
PHP’s safe mode is a very important built-in security mechanism that can control some functions in PHP, such as system(),
At the same time, the permissions of many file operation functions are controlled, and certain key files, such as /etc/passwd, are not allowed.
But the default php.ini does not open safe mode, let’s open it:
safe_mode = on
(2) User group security
When safe_mode is turned on, safe_mode_gid is turned off, then the php script can access the file, and it is the same
Users in the group can also access the file.
It is recommended to set it to:
safe_mode_gid = off
If we do not set it up, we may not be able to operate the files in our server website directory. For example, we need to
When operating on files.
(3) Execute the program’s home directory in safe mode
If safe mode is turned on but you want to execute certain programs, you can specify the home directory of the program to be executed:
safe_mode_exec_dir = D:/usr/bin
Under normal circumstances, there is no need to execute any program, so it is recommended not to execute the system program directory. You can point to a directory,
Then copy the program that needs to be executed, such as:
safe_mode_exec_dir = D:/tool/exe
However, I recommend not to execute any program, then you can point to our web directory:
safe_mode_exec_dir = D:/usr/www
(4) Include files in safe mode
If you want to include some public files in safe mode, then modify the options:
safe_mode_include_dir = D:/usr/www/include/
In fact, generally the files included in PHP scripts have been written in the program itself. This can be set according to specific needs.
(5) Control the directories that php scripts can access
Use the open_basedir option to control the PHP script to only access the specified directory, which can avoid PHP script access
Files that should not be accessed limit the harm of phpshell to a certain extent. We can generally set it to only access the website directory:
open_basedir = D:/usr/www
(6) Turn off dangerous functions
If safe mode is turned on, function prohibition is not necessary, but we still consider it for safety. For example,
We feel that we do not want to execute PHP functions including system() that can execute commands, or that can view PHP information
phpinfo() and other functions, then we can disable them:
Disable_functions = system,passthru,exec,shell_exec,popen,phpinfo
If you want to prohibit any file and directory operations, you can close many file operations
disable_functions=chdir,chroot,dir,getcwd,opendir,readdir,scandir,fopen,unlink,delete,
copy,mkdir,rmdir,rename,file,file_get_contents,fputs,fwrite,chgrp,chmod,chown
The above only lists some of the commonly used file processing functions. You can also combine the above execution command function with this function.
It can resist most phpshells.
(7) Close the leakage of PHP version information in the http header
In order to prevent hackers from obtaining the PHP version information in the server, we can turn off the information in the http header:
expose_php = Off
For example, when a hacker telnet www.target.com 80, he will not be able to see PHP information.
(8) Close registered global variables
Variables submitted in PHP, including those submitted using POST or GET, will be automatically registered as global variables and can be accessed directly,
This is very unsafe for the server, so we can’t register it as a global variable, so we turn off the register global variable option:
register_globals = Off
Of course, if this is set, then a reasonable method must be used to obtain the corresponding variable, such as obtaining the variable var submitted by GET,
Then you need to use $_GET['var'] to obtain it. PHP programmers should pay attention to this.
(9) Turn on magic_quotes_gpc to prevent SQL injection
SQL injection is a very dangerous problem. In the smallest case, the website backend is invaded, and in the worst case, the entire server collapses.
So be careful. There is a setting in php.ini:
magic_quotes_gpc = Off
This is turned off by default. If it is turned on, it will automatically convert the SQL query submitted by the user,
For example, converting ' to ', etc., this plays a significant role in preventing SQL injection. So we recommend setting it to:
magic_quotes_gpc = On