主机参考:VPS测评参考推荐/专注分享VPS服务器优惠信息!若您是商家可以在本站进行投稿,查看详情!此外我们还提供软文收录、PayPal代付、广告赞助等服务,查看详情! |
我们发布的部分优惠活动文章可能存在时效性,购买时建议在本站搜索商家名称可查看相关文章充分了解该商家!若非中文页面可使用Edge浏览器同步翻译!PayPal代付/收录合作 |
php.ini配置中有3处设置可能导致网站安全出问题。那么是哪三处呢?跟着小编一起往下看吧。一定会对你们有所帮助的。
首先大家都知道所有的PHP源码网站都必须配置环境,不论是使用集成环境还是自己手动搭建,可能很少有人关注过php.ini里面配置的这些东西到底有什么作用,很多站长在设置php.ini文件时,都是网上找一个教程,然后人家说哪里增加哪里删除按步骤进行,但是这里面的设置还真有两处会引起网站安全问题。
有人会说就一个php.ini文件怎么可能会有安全问题呢,难不成hiker会攻击的我php.ini文件不成?
这倒不是啦,而是运行方式会给hiker提供一个窗口,请看下面的配置步骤说明。
以windows系统上安装PHP为例,所有版本的php.ini文件的设置几乎都是一样的,先去官方网站下载需要的PHP版本,然后解压缩并重命名。
假设安装php7.4,安装在服务器" target="_blank" href="http://undefined" rel="external nofollow" rel="external nofollow" rel="external nofollow" gt;服务器的D盘根目录:下载Non-Thread Safe (NTS) 版本的PHP程序,然后解压缩,并重命名为“php”文件夹,将其拷贝到D盘根目录下面。
打开D:php下的php.ini-development文件,复制一份并将其重命名为php.ini,打开D:phpphp.ini文件,下面是完整的配置过程。
1、将short_open_tag = Off改为
short_open_tag = On
这样修改的作用是一些网站的模板文件中使用了如<? ?gt;这样的php代码,可保证代码可以正常执行,在ecshop、dedecms和WordPress等模板中也都常见于这类代码。
2、将expose_php = On,将其改为
expose_php = Off
作用是出于网站安全,禁止显示php的版本号,防止别人针对特定php版本漏洞攻击网站。有的网站你用站长工具一查,使用的是什么web服务器、PHP版本是多少都一目了然,对于特定的PHP版本漏洞,hiker当然是知道的,隐藏版本号虽不能说解决了问题,但是会给hiker增加难度。
3、查找如下代码
; On windows:
; extension_dir = "ext"
将这里的extension_dir前面的分号去掉,并且把ext修改为PHP的安装路径,如下所示。注意斜杠不要写反了,因为我把PHP安装在D盘的。
extension_dir = "D:phpext"
4、查找max_execution_time = 30,将数字30修改为300或1200。作用是每个脚本执行的最大时间,默认是30秒,解决可能因为网速和服务器的地址(如国外主机)可能会总是连接超时的问题。
5、搜索;cgi.force_redirect = 1,把前面的分号去掉,并把数字1改为0。cgi.force_redirect = 0的意思就是关闭重定向执行php文件,出于安全考虑防止别人上传木马执行如:你的网站url/as=你的网站url/sdf/muma.php,这样的重定向PHP文件是可执行的,将这个配置改为0之后这类型的重定向PHP文件就不会执行了。
这也是为什么有的网站总是被挂马的原因,这样修改之后即便是网站前台存在安全漏洞,被hiker上传了木马文件,通过这样的方式木马文件不会运行,所以没有用。
6、查找代码;cgi.fix_pathinfo=1将分号去掉并将数字1改为0。作用是禁止解析非法php文件,如/a.jpg/1.php这样的图片下的一个php文件属于非法的,设置为0就是禁止执行。这种将木马伪装成图片上传的文件存在已久,禁止这类文件运行,即使被上传了木马,由于设置了不允许运行,所以没有用。
7、查找代码fastcgi.impersonate = 1将前面的分号去掉。作用是iis或nginx使用的是fastcgi方式解析php文件,不开启就不能运行php程序,Apache则不用开启。
8、搜索 cgi.rfc2616_headers = 0 去掉分号并把0改为1。意思是告诉php使用什么样的报头,什么是报头呢?就像这个:HTTP/1.1。
9、搜索upload_tmp_dir =,将前面的分号删除并添加路径如下:
upload_tmp_dir = D:phptemp
意思是上传文件的临时目录,用来存放网站上传文件的临时虚拟目录,但是不会真的上传任何文件在里面。
10、分别搜索以下代码,一行一个,分别去掉其前面的分号(分号表示注释,不生效的意思,去掉就生效了):
extension=bz2
extension=curl
extension=gd2
extension=gmp
extension=mbstring
extension=php_mysql" target="_blank" href="http://undefined" rel="external nofollow" rel="external nofollow" rel="external nofollow" gt;mysql.dll
extension=mysqli
extension=pdo_mysql
11、查找date.timezone =删除分号并修改为如下这样:
date.timezone = Asia/Shanghai
注意大小写,意思是格式化时间,默认使用北京时间(东8区),这样可以使服务器时间和程序的时间一致,否则可能你发文章显示的时时间会和实际时间不一样,如果不设置时间可能会相差8小时,也可以设置为date.timezone = PRC ,设置时区为中国时区,PRC是中国时区的简称。
以上就是完整的php.ini文件配置,真的有3处设置和网站的安全有关系,由于这个文件一般只会设置一次,之后都不会去更改,所以有的问题也不容易被发现。
以上就是php.ini配置中有3处设置可能导致网站安全出问题的详细内容,你们了解了吗?如果想了解更多请关注主机参考其它相关文章!
There are three settings in the php.ini configuration that may cause website security problems. So what are the three places? Follow Xiaobian to look down. It will certainly help you.
First of all, we all know that all PHP source websites must be configured with environment. No matter the integrated environment is used or the website is built manually, few people have paid attention to the function of these things configured in php.ini. When many webmasters are setting php.ini file, they are looking for a tutorial on the Internet, and then they are told where to add or delete it according to the steps, but here There are really two aspects of face setting that can cause website security problems.
Some people will say that how can a php.ini file have security problems? Is it possible that hiker will attack my php.ini file?
This is not true, but the operation mode will provide a window for hiker. Please see the following configuration steps.
Take PHP installed on Windows system as an exle. The settings of all versions of php.ini file are almost the same. First go to the official website to download the required PHP version, and then extract and rename it.
Suppose php7.4 is installed in the d-root directory of the server "target =" _blank "href =" http: / / undefined " gt; download the non thread safe (NTS) version of PHP program, extract it, rename it to the" PHP "folder, and copy it to the d-root directory.
Open the php.ini-development file under D: PHP, copy it and rename it to php.ini, and open the D: PHP php.ini file. The following is the complete configuration process.
1. Change short "open" tag = off to
short_open_tag = On
The effect of this modification is that some websites use template files such as lt? Gt; this kind of PHP code can ensure the normal execution of the code, which is also common in ECSHOP, dedecms, WordPress and other templates.
2. Change expose? PHP = on to
expose_php = Off
The function is to prevent PHP version number from being displayed for the sake of website security, so as to prevent other people from attacking websites against specific PHP version vulnerabilities. Some websites you use the webmaster tool to check, which web server and PHP version you use are clear at a glance. For specific PHP version vulnerabilities, hiker certainly knows. Although the hidden version number can not be said to solve the problem, it will increase the difficulty for hiker.
3. Look for the following code
; On windows:
; extension_dir = "ext"
Remove the semicolon in front of extension dir here, and change ext to the installation path of PHP, as shown below. Note that the slash should not be written backwards, because I installed PHP on disk D.
extension_dir = "D:phpext"
4. Find max? Execution? Time = 30, and change the number 30 to 300 or 1200. The function is the maximum execution time of each script, which is 30 seconds by default. It can solve the problem that the connection may always time out due to the network speed and the address of the server (such as the foreign host).
5. Search; cgi.force_redirect = 1, remove the previous semicolon and change the number 1 to 0. Cgi.force_redirect = 0 means to close the redirection execution PHP file. For security reasons, prevent other people from uploading the Trojan horse to execute, such as: your website URL / as = your website URL / SDF / muma.php, so the redirection PHP file is executable. After changing this configuration to 0, this type of redirection PHP file will not execute.
This is also the reason why some websites are always hung up. After modification, even if there is a security hole in the front desk of the website, the Trojan file is uploaded by hiker. In this way, the Trojan file will not run, so it is useless.
6. Find the code; CGI. Fix_pathinfo = 1 remove the semicolon and change the number 1 to 0. The function is to prevent parsing illegal PHP files. For exle, a PHP file under a picture like / a.jpg/1.php is illegal. Setting 0 is to prevent execution. This kind of Trojan disguised as a picture upload file has existed for a long time. It is forbidden to run this kind of file. Even if the Trojan is uploaded, it is useless because it is set not to run.
7. Find the code fastcgi. Impersonate = 1 to remove the previous semicolon. The function is that IIS or nginx uses the fastcgi method to parse PHP files. If you do not open it, you cannot run PHP programs. Apache does not need to open it.
8. Search cgi.rfc2616 ﹐ headers = 0 remove the semicolon and change 0 to 1. It means to tell PHP what kind of header to use and what is it? Like this: http / 1.1.
9. Search for upload? TMP? Dir =, delete the previous semicolon and add the path as follows:
upload_tmp_dir = D:phptemp
It means the temporary directory of uploaded files, which is used to store the temporary virtual directory of uploaded files on the website, but it will not really upload any files in it.
10. Search for the following codes, one line at a time, and remove the semicolon (semicolon means comment. If it is not effective, it will take effect):
extension=bz2
extension=curl
extension=gd2
extension=gmp
extension=mbstring
extension=php_mysql" target="_blank" href="http://undefined" rel="external nofollow" rel="external nofollow" rel="external nofollow" gt;mysql.dll
extension=mysqli
extension=pdo_mysql
11. Find date.timezone = delete the semicolon and change it to the following:
date.timezone = Asia/Shanghai
Pay attention to case, which means format time. Beijing time (East 8 area) is used by default, so that the server time is consistent with the program time. Otherwise, the time displayed in your post may be different from the actual time. If you don't set the time, it may be 8 hours different, or you can set it to date.timezone = PRC , set the time zone as China time zone, and PRC is the abbreviation of China time zone.
The above is the complete php.ini file configuration. There are really three settings that have something to do with the security of the website. Because this file is usually only set once and will not be changed later, some problems are not easy to find.
The above is the details of three settings in php.ini configuration that may cause website security problems. Do you understand? If you want to learn more, please pay attention to the host and refer to other related articles!
--------------------------------------------------------------
主机参考,收集国内外VPS,VPS测评,主机测评,云服务器,虚拟主机,独立服务器,国内外服务器,高性价比建站主机相关优惠信息@zhujicankao.com
详细介绍和测评国外VPS主机,云服务器,国外服务器,国外主机的相关优惠信息,商家背景,网络带宽等等,也是目前国内最好的主机云服务器VPS参考测评资讯优惠信息分享平台
这几篇文章你可能也喜欢:
- CSTserver 宣传香港/美国优化线路云服务器为 2.2 美元/月,裸机为 19.9 美元/月,高防御为 30 美元/月,10G 高带宽为 39 美元/月,站点组为 105 美元/月。
- DesiVPS 推出全新 AMD Ryzen9+NVMe 系列 VPS,起价每年 24 美元,圣何塞机房
- 华纳云双11超值购买,香港云主机4H4G5M,每年支付888元送1年免费.com域名
- Mondoze:住宅IP/原生IP/IDC IP,VPS低至$8.33/马来西亚服务器/AS152742/11.11促销
- torchbyte 罗马尼亚 VPS 起价为 20 美元/年,AMD Ryzen9+ NVMe 硬盘,免费 DDoS 防护
本文由主机参考刊发,转载请注明:php.ini配置中有3处设置可能导致网站安全出问题 https://zhujicankao.com/12740.html
评论前必须登录!
注册