The content of this article is about how to further strengthen security in the PHP environment? The introduction of methods to enhance the security of PHP environment has certain reference value. Friends in need can refer to it. I hope it will be helpful to you.
After a PHP application is deployed, developers or operation and maintenance personnel should always pay attention to PHP vulnerability news, upgrade the PHP version, and perform security reinforcement on the PHP environment. This article will introduce to you how to make your website stronger and more secure from the perspective of WEB security.
1. Enable PHP's safe mode
The safe mode provided by the PHP environment is a very important built-in security mechanism. The PHP safe mode can effectively control some functions in the PHP environment (such as system () function), controls permissions on most file operation functions, and does not allow modification of certain key files (such as /etc/passwd). However, the default php.ini configuration file does not enable safe mode.
You can enable PHP safe mode by modifying the php.ini configuration file:
safe_mode = on
2. User group security
When you enable safe mode, if the safe_mode_gid option is turned off , the PHP script can access the file, and users in the same user group can also access the file.
Therefore, it is recommended that you set this option to off:
safe_mode_gid = off
Note: This option parameter only applies to Linux operating systems.
If you do not make this setting, you may not be able to operate files in the server website directory.
3. Home directory for executing programs in safe mode
If you want to execute certain programs after enabling safe mode, you can specify the home directory where the program needs to be executed, for example:
safe_mode_exec_dir = /usr/bin
Under normal circumstances, if you do not need to execute any programs, it is recommended that you do not specify the directory for executing system programs. You can specify a directory and then copy the program that needs to be executed to this directory, for example:
safe_mode_exec_dir = /temp/cmd
However, it is recommended that you do not execute any program. In this case, you only need to point the execution directory to the web page directory:
safe_mode_exec_dir = /usr/www
Note: The path to the execution directory is subject to the directory path of your actual operating system.
4. Include files in safe mode
If you need to include some public files in safe mode, you only need to modify the following options:
safe_mode_include_dir = /usr/www/include/
General situation Below, the files included in the PHP script have been written in the program and can be set according to your specific needs.
5. Control the directories that PHP scripts can access
Use the open_basedir option to control that PHP scripts can only access specified directories. This can prevent PHP scripts from accessing files that should not be accessed to a certain extent. Reduced the harm of phpshell. Under normal circumstances, it can be set to only access the website directory:
open_basedir = /usr/www
6. Turn off dangerous functions
If you enable the safe mode, you do not need to set the function ban, but for security reasons , it is still recommended that you make relevant settings. For example, you do not want to execute PHP functions including system(), etc. that execute commands, and functions such as phpinfo() that can view PHP information, then you can prohibit these functions through the following settings:
disable_functions = system, passthru, exec, shell_exec, popen, phpinfo, escapeshellarg, escapeshellcmd, proc_close, proc_open, dl
If If you want to prohibit operations on any files and directories, you can turn off the following file-related operations.
disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, chgrp,chmod, chown
Note: The above settings only list some of the more commonly used file processing functions. You can also combine the above execution command functions with these file processing functions to resist Most phpshell threats.
7. Turn off the leakage of PHP version information in HTTP headers
In order to prevent hackers from obtaining the PHP version information in the server, you can prohibit the leakage of this information in HTTP header content:
expose_php = off
After setting this, hackers will not be able to see the PHP version information when they execute telnet
8. Turn off registration of global variables
Variables submitted in the PHP environment, including variables submitted using the POST or GET command, will be automatically registered as global variables and can be directly accessed. This is very unsafe for your server, so it is recommended that you turn off the option to register global variables and prohibit the registration of submitted variables as global variables.
register_globals = off
Note: This option parameter has been removed in PHP 5.3 and later versions.
Of course, if this is set, reasonable methods need to be used to obtain the corresponding variables. For example, to obtain the variable var submitted by the GET command, you need to use the $_GET['var']
command to obtain it. You need to pay attention to it when designing PHP programs.
9.SQL injection protection
SQL injection is a very dangerous problem, which may cause the website backend to be invaded, or even cause the entire server to collapse.
magic_quotes_gpc
option is turned off by default. If this option is turned on, PHP will automatically convert user-submitted requests for SQL queries (for example, convert ' to \', etc.), which is very effective in preventing SQL injection attacks, so it is recommended that you set this option to:
magic_quotes_gpc = on
Note: This option parameter has been removed in PHP 5.4.0 and later versions.
So it is best to use PDO preprocessing to process SQL queries.
10.错误信息控制
一般 PHP 环境在没有连接到数据库或者其他情况下会有错误提示信息,错误信息中可能包含 PHP 脚本当前的路径信息或者查询的 SQL 语句等信息,这类信息如果暴露给黑客是不安全的,因此建议您禁止该错误提示:
display_errors = Off
如果您确实要显示错误信息,一定要设置显示错误信息的级别。例如,只显示警告以上的错误信息:
error_reporting = E_WARNING & E_ERROR
注意: 强烈建议您关闭错误提示信息。
11.错误日志
建议您在关闭错误提示信息后,对于错误信息进行记录,便于排查服务器运行异常的原因:
log_errors = On
同时,需要设置错误日志存放的目录,建议您将 PHP 错误日志与 Apache 的日志存放在同一目录下:
error_log = /usr/local/apache2/logs/php_error.log
注意: 该文件必须设置允许 Apache 用户或用户组具有写的权限。
相关推荐:
The above is the detailed content of How to further strengthen security in the PHP environment? Introduction to methods to enhance the security of PHP environment. For more information, please follow other related articles on the PHP Chinese website!