PHP core configuration
The first chapter is a reference to the original "code audit enterprise-class web code security architecture" Yin Yi
Register_globals (global variable switch)
Parameters can be submitted directly to the user up GET, POST, etc. to register as a global variable and initialize the value of the corresponding parameter. PHP5.3.0 since abandoned, PHP5.4.0 removed
Allow_url_include (include whether to allow remote file)
May include direct remote file,
Magic_quotes_gpc (magic quotes automatically filter)
Automatically in GET, POST, COOKIE variables in single quotes, double quotes, backslash, a null character preceded by a backslash (\) for PHP5 magic_quotes_gpc and does not filter $ _SERVER variable. Resulting in very Duolei Shi client-ip, referer is not recommended after a class of vulnerabilities to take advantage of PHP5.3 use PHP5.4 outright cancellation.
Magic_quotes_runtime (magic quotes automatically filter)
He is also in front of single and double quotation marks, and so backslash backslash but it is only different from the target process to filter the data in the database or file acquired.
Magic_quotes_sybase (magic quotes automatically filter)
Automatic filtering of special characters, he will overwrite magic_quotes_gpc = on configuration. The difference between this common ground with the object gpc treated the same as it is merely escaped single quotes become null characters and double quotes. Removing at least compared with GPC PHP5.4.0 its use.
Safe_mode (Safe Mode)
Safe Mode is a security mechanism built PHP, when it is equal on ,, may be arranged linkage instructions are safe_mode_include_dir, safe_mode_exec_dir, safe_mode_allowed_env_vars, safe_mode_protected_env_vars. safe_mode
PHP5.4 Cancel
Open_basedir PHP (accessible directory)
PHP can be used to limit access to which directories, usually we only need to set up a web directory can be, if you need to load an external script, also need to be added to the directory path where the script open_basedir instruction, multiple directories can be split with a semicolon.
Disable_functions (disable function)
Change in the official production of feed, in order to secure the operation of PHP can use it to prohibit the use of sensitive functions. When you want to disable some dangerous functions with this Directive, remember to put dl () also added to the banned list, because an attacker can use dl () to load from PHP extension defined in order to break through the limitations of instructions disable_functions
Display_errors and error display error_reporting
Display_errors indicate whether the internal PHP script error option, when you can turn on debugging PHP advised to turn off error in a production environment echo.
The official document: https://www.php.net/manual/zh/ini.list.php