How to further strengthen security in the PHP environment? Introduction to methods to enhance the security of PHP environment

不言
Release: 2023-04-03 19:12:02
Original
1364 people have browsed it

The content of this article is about how to further strengthen security in the PHP environment? The introduction of methods to enhance the security of PHP environment has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.

After a PHP application is deployed, developers or operation and maintenance personnel should always pay attention to PHP vulnerability news, upgrade the PHP version, and perform security reinforcement on the PHP environment. This article will introduce to you how to make your website stronger and more secure from the perspective of WEB security.

1. Enable PHP's safe mode

The safe mode provided by the PHP environment is a very important built-in security mechanism. The PHP safe mode can effectively control some functions in the PHP environment (such as system () function), controls permissions on most file operation functions, and does not allow modification of certain key files (such as /etc/passwd). However, the default php.ini configuration file does not enable safe mode.

You can enable PHP safe mode by modifying the php.ini configuration file:

safe_mode = on
Copy after login

2. User group security

When you enable safe mode, if the safe_mode_gid option is turned off , the PHP script can access the file, and users in the same user group can also access the file.

Therefore, it is recommended that you set this option to off:

safe_mode_gid = off
Copy after login

Note: This option parameter only applies to Linux operating systems.

If you do not make this setting, you may not be able to operate files in the server website directory.

3. Home directory for executing programs in safe mode

If you want to execute certain programs after enabling safe mode, you can specify the home directory where the program needs to be executed, for example:

safe_mode_exec_dir = /usr/bin
Copy after login

Under normal circumstances, if you do not need to execute any programs, it is recommended that you do not specify the directory for executing system programs. You can specify a directory and then copy the program that needs to be executed to this directory, for example:

safe_mode_exec_dir = /temp/cmd
Copy after login

However, it is recommended that you do not execute any program. In this case, you only need to point the execution directory to the web page directory:

safe_mode_exec_dir = /usr/www
Copy after login

Note: The path to the execution directory is subject to the directory path of your actual operating system.

4. Include files in safe mode

If you need to include some public files in safe mode, you only need to modify the following options:

safe_mode_include_dir = /usr/www/include/
Copy after login

General situation Below, the files included in the PHP script have been written in the program and can be set according to your specific needs.

5. Control the directories that PHP scripts can access

Use the open_basedir option to control that PHP scripts can only access specified directories. This can prevent PHP scripts from accessing files that should not be accessed to a certain extent. Reduced the harm of phpshell. Under normal circumstances, it can be set to only access the website directory:

open_basedir = /usr/www
Copy after login

6. Turn off dangerous functions

If you enable the safe mode, you do not need to set the function ban, but for security reasons , it is still recommended that you make relevant settings. For example, you do not want to execute PHP functions including system(), etc. that execute commands, and functions such as phpinfo() that can view PHP information, then you can prohibit these functions through the following settings:

disable_functions = system, passthru, exec, shell_exec, popen, phpinfo, escapeshellarg, escapeshellcmd, proc_close, proc_open, dl
Copy after login

If If you want to prohibit operations on any files and directories, you can turn off the following file-related operations.

disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, chgrp,chmod, chown
Copy after login

Note: The above settings only list some of the more commonly used file processing functions. You can also combine the above execution command functions with these file processing functions to resist Most phpshell threats.

7. Turn off the leakage of PHP version information in HTTP headers

In order to prevent hackers from obtaining the PHP version information in the server, you can prohibit the leakage of this information in HTTP header content:

expose_php = off
Copy after login

After setting this, hackers will not be able to see the PHP version information when they execute telnet 80 and try to connect to your server.

8. Turn off registration of global variables

Variables submitted in the PHP environment, including variables submitted using the POST or GET command, will be automatically registered as global variables and can be directly accessed. This is very unsafe for your server, so it is recommended that you turn off the option to register global variables and prohibit the registration of submitted variables as global variables.

register_globals = off
Copy after login

Note: This option parameter has been removed in PHP 5.3 and later versions.

Of course, if this is set, reasonable methods need to be used to obtain the corresponding variables. For example, to obtain the variable var submitted by the GET command, you need to use the $_GET['var'] command to obtain it. You need to pay attention to it when designing PHP programs.

9.SQL injection protection

SQL injection is a very dangerous problem, which may cause the website backend to be invaded, or even cause the entire server to collapse.

magic_quotes_gpc option is turned off by default. If this option is turned on, PHP will automatically convert user-submitted requests for SQL queries (for example, convert ' to \', etc.), which is very effective in preventing SQL injection attacks, so it is recommended that you set this option to:

magic_quotes_gpc = on
Copy after login

Note: This option parameter has been removed in PHP 5.4.0 and later versions.

So it is best to use PDO preprocessing to process SQL queries.

10.错误信息控制

一般 PHP 环境在没有连接到数据库或者其他情况下会有错误提示信息,错误信息中可能包含 PHP 脚本当前的路径信息或者查询的 SQL 语句等信息,这类信息如果暴露给黑客是不安全的,因此建议您禁止该错误提示:

display_errors = Off
Copy after login

如果您确实要显示错误信息,一定要设置显示错误信息的级别。例如,只显示警告以上的错误信息:

error_reporting = E_WARNING & E_ERROR
Copy after login

注意: 强烈建议您关闭错误提示信息。

11.错误日志

建议您在关闭错误提示信息后,对于错误信息进行记录,便于排查服务器运行异常的原因:

log_errors = On
Copy after login

同时,需要设置错误日志存放的目录,建议您将 PHP 错误日志与 Apache 的日志存放在同一目录下:

error_log = /usr/local/apache2/logs/php_error.log
Copy after login

注意: 该文件必须设置允许 Apache 用户或用户组具有写的权限。

相关推荐:

PHP中的session安全吗?,PHPsession安全

安全防范措施 PHP安全防范技巧分享

PHP网站常见安全漏洞及相应防范措施总结,安全漏洞防范措施

The above is the detailed content of How to further strengthen security in the PHP environment? Introduction to methods to enhance the security of PHP environment. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!