There is no doubt that php is a very powerful server-side scripting language, but powerful functions always come with major dangers. Here, you will learn to use php's safe mode to block some of php's potential dangers.
What is PHP Safe Mode: safe_mode
Simply put, PHP safe mode is to run php in safe mode.
PHP's safe mode provides a basically secure shared environment on a PHP open web server where multiple user accounts exist. When php running on a web server has safe mode turned on, some functions will be completely disabled and some available functions will be restricted.
In safe mode, some functions that try to access the file system will be restricted. Running the web server user id, if you want to operate a file, you must have the access permission to read or write the file. It is no problem for php to implement this restriction function. When trying to read or write a local file when safe mode is on, php will check if the current user is the owner of the target file. If not the owner, the operation is forbidden. (Write permission: Under the lower level of file access permissions, it may be allowed to read or write files of the system operating system, which prevents you from operating another user's files through php's security mode. Of course, a web The server may be able to access an arbitrary file with global write permissions.)
When safe mode is turned on, the functionality of the following list of functions will be limited:
chdir, move_uploaded_file, chgrp, parse_ini_file, chown, rmdir, copy, rename, fopen, require, highlight_file, show_source, include, symlink, link, touch, mkdir, unlink
Likewise, some functions in php extensions will also be affected. (Loading modules: The dl function will be disabled in safe mode. If you want to load extensions, you can only modify the extension options in php.ini and load them when php starts)
When PHP safe mode is turned on, when the system program needs to be executed, it must be the program in the directory specified by the safe_mode_exec_dir option, otherwise the execution will fail. Even if execution is allowed, it will be automatically passed to the escapeshellcmd function for filtering.
The following list of functions that execute commands will be affected:
exec,shell_exec,passthru,system,popen
In addition, the back marker operator (`) will also be turned off.
When running in safe mode, the putenv function will have no effect, although it will not cause an error. Similarly, some other functions set_time_limit, set_include_path that try to change php environment variables will also be ignored.
How to enable PHP Safe Mode (please note that PHP 5.3 will no longer have Safe Mode)
To turn php's safe mode on or off is to use the safe_mode option in php.ini:
safe_mode=On (use safe mode)
safe_mode=Off (turn off safe mode)
The corresponding setting method of VirtualHost in apache's httpd.conf
php_admin_flag safe_mode On (use safe mode)
php_admin_flag safe_mode Off (close safe mode)
or:
php_admin_value safe_mode1 (use safe mode)
php_admin_value safe_mode0 (close safe mode)
Effects of enabling Safe Mode:
File owner checks are performed when the function accesses the filesystem. By default, the file owner's user id is checked, when you can change the file owner's group id (gid) to that specified by the safe_mode_gid option.
If you have a shared library file on your system, when you encounter a need to include or require, then you can use the safe_mode_include_dir option to set your path to ensure that your code works correctly. (include paths: if you want to include more include paths using the safe_mode_include_dir option, then you can use the include_path option to separate with colons under unix/linux and semicolons under windows)
For example, if you want to include files under /usr/local/include/php in safe mode, then you can set the options as:
safe_mode_include_dir=/usr/local/include/php
If your included files need to be executed, then you can set the safe_mode_exec_dir option.
For example, if you need the files in the /usr/local/php-bin path to be executable, you can set the options as:
safe_mode_exec_dir=/usr/local/php-bin
(Executable: If the program you execute is in the /usr/bin directory, then you can link these binary files to the executable path under the options you specify)
If you want to set some environment variables then you can use the safe_mode_allowed_env_vars option. The value of this option is a prefix of an environment variable. The default is to allow environment variables starting with php_. If you want to change, you can set the value of this option. Use commas to separate multiple environment variable prefixes.
For example, the following environment variable tz allows time zone, then modify the value of this option to:
safe_mode_allowed_env_vars=php_,tz
In addition to safe mode, php also provides many other features to ensure the security of php.
1. [Hide the version number of php]
You can use the expose_php option in php.ini to prevent the web server from exposing php report information. as follows:
expose_php=on
With this whole setup, you can thwart some attacks on the web server from automated scripts. Under normal circumstances, the header information of http contains the following information:
server:apache/1.3.33(unix)php/5.2.4mod_ssl/2.8.16openssl/0.9.7c
After the expose_php option is turned on, the version information of php will not be included in the above header information.
Of course, users can also see the .php file extension when they visit the website. If you want to use a different file extension throughout, you need to find the following line in httpd.conf:
addtype application/x-httpd.php
You can then modify .php to any file extension you like. You can specify as many file extensions as you want, separated by spaces. If you want to use php to parse .html and .htm files on the server side, then you set the options as follows:
addtype application/x-httpd.html.htm
(Parse html: configure your web server to use php to parse all html files, but if non-server-side code also needs php to parse, it will affect the performance of the server. You can use a different extension for static pages, which can eliminate the need for Dependency on the php scripting engine to enhance performance.)
2. [File System Security]
Safe mode restricts script owners to their own files, but you can use the open_basedir option to specify a directory you must access. If you specify a directory, php will deny access to directories other than that directory and its subdirectories. The open_basedir option can work outside of safe mode.
To restrict the file system to only access the /tmp directory, then the setting options are:
open_basedir=/tmp
3. [Function Access Control]
You can set function names separated by commas in the disable_functions option, then these functions will be disabled in the php script. This setting works outside of safe mode.
disable_functions=dl
Of course, you can also disable access to some classes using the disable_classes option.
4. [Database Security]
Suppose your php script contains a mysql query that executes based on form values:
$sql=”update mytable set col1=”.$_post[“value”].”where col2=’somevalue'”;
$res=mysql_query($sql,$db);
You want $_post["value"] to contain an integer value to update your column col1. However, a malicious user can enter a semicolon in the form field, followed by a sql statement that he/she wants to be executed arbitrarily.
For example, suppose the following is the value submitted by $_post["value"]:
0;insert into admin_users(username,password) values (‘me’,’mypassword’);
Then when this query is sent to the mysql query, it becomes the following sql:
update mytable set col1=0;
insert into admin_users(username,password) values (‘me’,’mypassword’);
where col2=’somevalue';
This is clearly a harmful query! First this query will update col1 in the mytable table. This one is no trouble, but the second expression, it will execute the insert expression to insert a new administrator who can log in. The third expression is discarded, but at the same time the sql parser will throw an error and the nasty query will not complete. This attack is often referred to as sql injection (Note: sql injection).
Of course, there is a problem with sql injection, the other party must understand your database structure. In this example, the attacker knows that you have a table admin_users, and knows that it contains username and password fields, and the stored password is not encrypted.
Except for yourself, the average website visitor is unaware of this information about the database. However, if you use an online e-commerce program that develops source code, or use a free discussion board program, the definitions of these data tables are known, or some users have access to your database.
In addition, your script output will prompt a query error, which contains a lot of important information about the database structure. On a working website, you should consider setting the display_errors option to off, and use log_errors instead of display_errors to insert warning and error messages into the file.
(Database permissions: it is a very important thing, you only have the correct permissions to connect to the database correctly through the script. You should not use the administrator to connect to the database in the script. If you do, then an attacker will be possible Obtain full database permissions, including other permissions on the same server. Attackers will likely run grant or create user commands to gain more access.)
If you want to prevent sql injection attacks, you must ensure that the content submitted in the user form is not an executable sql expression.
In the previous example, we used an integer value to update. If the single quote is followed by a string, the attacker must submit a closed quote within the entire sql expression before the semicolon. However, when the magic_quotes_gpc option is enabled, quotes submitted in web forms will be automatically escaped.
To prevent sql injection attacks by malicious attackers, you should always make sure that the submitted data is legitimate. If what you need is an integer value, then you can use the is_numeric function to test the expression value, or use the settype function to convert to a number, clearing any silly sql statement.
If you develop a program that requires several submitted values in a sql expression, you can use the sprintf function to construct an sql string, using formatting characters to indicate each value of the data type. See the example below:
$sql=sprintf(“update mytable set col1=%d where col2=’%s'”, $_post[“number”], mysql_escape_string($_post[“string”]));
In the previous example, the entire mysql data has been used, so the string has been filtered by the mysql_escape_string function. For other databases, you can use the addslashes function to escape, or use other methods.