php.ini only | This setting option can only be set in php.ini |
PHP has hundreds of configuration file instructions, so I won’t introduce them one by one here. If you are interested in this aspect, you can check the specific content in the official PHP configuration documentation: http://www.php. net/manual/zh/ini.list.php
Common basic settings for PHP
(1) open_basedir settings
open_basedir can limit applications For directories that can be accessed, check whether open_basedir is set. Of course, some are set through the web server, such as: apache's php_admin_value, nginx+fcgi is controlled through conf.
(2) allow_url_fopen setting
If allow_url_fopen=ON, then PHP can read remote files for operation, which is easily exploited by attackers.
(3) allow_url_include setting
If allow_url_include=ON, then PHP can include remote files, which will cause serious vulnerabilities.
(4) safe_mode_exec_dir setting
This option can control the directory of external commands that can be called by php. If there are external commands called in the php program, then the external command is known Directory can control program risks.
(5) magic_quote_gpc setting
This option can escape the special characters submitted in the parameters. It is recommended to set magic_quote_gpc=ON
(6) register_globals setting
Turning on this option will cause PHP to register all externally submitted variables as global variables, and the consequences are quite serious.
(7) safe_mode setting
safe_mode is an important security feature of PHP, it is recommended to turn it on
(8) session_use_trans_sid setting
If session_use_trans_sid is enabled, it will cause PHP to pass the session ID through the URL, which will make it easy for an attacker to hijack the current session, or trick the user into using an existing session that is controlled by the attacker.
(9) display_errors setting
If this option is enabled, PHP will output all error or warning information, and attackers can use this information to obtain the web root path, etc. Sensitive information.
(10) expose_php setting
If the expose_php option is enabled, then every response generated by php interpreting it will include the PHP version installed on the host system. Knowing the version of PHP running on a remote server allows an attacker to enumerate known exfiltration methods against the system, greatly increasing the chance of a successful attack.
(11) magic_quotes_sybase (magic quotation mark automatic filtering)
magic_quotes_sybase directive is used to automatically filter special characters. When set to on, it will overwrite them. The configuration of magic_quotes_gpc=on, that is to say, configuring gpc=on in time will have no effect. What this command has in common with gpc is that the objects processed are the same, that is, they both process POST\GET\Cookie.
(12) disable_functions (disable function)
In a formal production environment, in order to run PHP more safely, you can also use the disable_functions directive to disable some sensitive functions usage of. When you want to use this directive to ban some dangerous functions, remember to add the dl() function to the banned list, because attackers can use the dl() function to load custom PHP extensions to break through the restrictions of the disable_function directive.
Related recommendations:
php code audit (1)-----Debugging function