VPS参考测评推荐
专注分享VPS主机优惠信息
衡天云优惠活动
华纳云优惠活动

php.ini配置中有3处设置可能导致网站安全出问题

主机参考:VPS测评参考推荐/专注分享VPS服务器优惠信息!若您是商家可以在本站进行投稿,查看详情!此外我们还提供软文收录、PayPal代付、广告赞助等服务,查看详情!
我们发布的部分优惠活动文章可能存在时效性,购买时建议在本站搜索商家名称可查看相关文章充分了解该商家!若非中文页面可使用Edge浏览器同步翻译!PayPal代付/收录合作

php.ini配置中有3处设置可能导致网站安全出问题。那么是哪三处呢?跟着小编一起往下看吧。一定会对你们有所帮助的。

首先大家都知道所有的PHP源码网站都必须配置环境,不论是使用集成环境还是自己手动搭建,可能很少有人关注过php.ini里面配置的这些东西到底有什么作用,很多站长在设置php.ini文件时,都是网上找一个教程,然后人家说哪里增加哪里删除按步骤进行,但是这里面的设置还真有两处会引起网站安全问题。

有人会说就一个php.ini文件怎么可能会有安全问题呢,难不成hiker会攻击的我php.ini文件不成?

这倒不是啦,而是运行方式会给hiker提供一个窗口,请看下面的配置步骤说明。

windows系统上安装PHP为例,所有版本的php.ini文件的设置几乎都是一样的,先去官方网站下载需要的PHP版本,然后解压缩并重命名。

假设安装php7.4,安装在服务器" target="_blank" href="http://undefined" rel="external nofollow" rel="external nofollow" rel="external nofollow" gt;服务器的D盘根目录:下载Non-Thread Safe (NTS) 版本的PHP程序,然后解压缩,并重命名为“php”文件夹,将其拷贝到D盘根目录下面。

打开D:php下的php.ini-development文件,复制一份并将其重命名为php.ini,打开D:phpphp.ini文件,下面是完整的配置过程。

1、将short_open_tag = Off改为

short_open_tag = On

这样修改的作用是一些网站的模板文件中使用了如<? ?gt;这样的php代码,可保证代码可以正常执行,在ecshop、dedecms和WordPress等模板中也都常见于这类代码。

2、将expose_php = On,将其改为

expose_php = Off

作用是出于网站安全,禁止显示php的版本号,防止别人针对特定php版本漏洞攻击网站。有的网站你用站长工具一查,使用的是什么web服务器、PHP版本是多少都一目了然,对于特定的PHP版本漏洞,hiker当然是知道的,隐藏版本号虽不能说解决了问题,但是会给hiker增加难度。

3、查找如下代码

; On windows:

; extension_dir = "ext"

将这里的extension_dir前面的分号去掉,并且把ext修改为PHP的安装路径,如下所示。注意斜杠不要写反了,因为我把PHP安装在D盘的。

extension_dir = "D:phpext"

4、查找max_execution_time = 30,将数字30修改为300或1200。作用是每个脚本执行的最大时间,默认是30秒,解决可能因为网速和服务器的地址(如国外主机)可能会总是连接超时的问题。

5、搜索;cgi.force_redirect = 1,把前面的分号去掉,并把数字1改为0。cgi.force_redirect = 0的意思就是关闭重定向执行php文件,出于安全考虑防止别人上传木马执行如:你的网站url/as=你的网站url/sdf/muma.php,这样的重定向PHP文件是可执行的,将这个配置改为0之后这类型的重定向PHP文件就不会执行了。

这也是为什么有的网站总是被挂马的原因,这样修改之后即便是网站前台存在安全漏洞,被hiker上传了木马文件,通过这样的方式木马文件不会运行,所以没有用。

6、查找代码;cgi.fix_pathinfo=1将分号去掉并将数字1改为0。作用是禁止解析非法php文件,如/a.jpg/1.php这样的图片下的一个php文件属于非法的,设置为0就是禁止执行。这种将木马伪装成图片上传的文件存在已久,禁止这类文件运行,即使被上传了木马,由于设置了不允许运行,所以没有用。

7、查找代码fastcgi.impersonate = 1将前面的分号去掉。作用是iis或nginx使用的是fastcgi方式解析php文件,不开启就不能运行php程序,Apache则不用开启。

8、搜索 cgi.rfc2616_headers = 0 去掉分号并把0改为1。意思是告诉php使用什么样的报头,什么是报头呢?就像这个:HTTP/1.1。

9、搜索upload_tmp_dir =,将前面的分号删除并添加路径如下:

upload_tmp_dir = D:phptemp

意思是上传文件的临时目录,用来存放网站上传文件的临时虚拟目录,但是不会真的上传任何文件在里面。

10、分别搜索以下代码,一行一个,分别去掉其前面的分号(分号表示注释,不生效的意思,去掉就生效了):

extension=bz2

extension=curl

extension=gd2

extension=gmp

extension=mbstring

extension=php_mysql" target="_blank" href="http://undefined" rel="external nofollow" rel="external nofollow" rel="external nofollow" gt;mysql.dll

extension=mysqli

extension=pdo_mysql

11、查找date.timezone =删除分号并修改为如下这样:

date.timezone = Asia/Shanghai

注意大小写,意思是格式化时间,默认使用北京时间(东8区),这样可以使服务器时间和程序的时间一致,否则可能你发文章显示的时时间会和实际时间不一样,如果不设置时间可能会相差8小时,也可以设置为date.timezone = PRC ,设置时区为中国时区,PRC是中国时区的简称。

以上就是完整的php.ini文件配置,真的有3处设置和网站的安全有关系,由于这个文件一般只会设置一次,之后都不会去更改,所以有的问题也不容易被发现。

以上就是php.ini配置中有3处设置可能导致网站安全出问题的详细内容,你们了解了吗?如果想了解更多请关注主机参考其它相关文章!


There are three settings in the php.ini configuration that may cause website security problems. So what are the three places? Follow Xiaobian to look down. It will certainly help you.

First of all, we all know that all PHP source websites must be configured with environment. No matter the integrated environment is used or the website is built manually, few people have paid attention to the function of these things configured in php.ini. When many webmasters are setting php.ini file, they are looking for a tutorial on the Internet, and then they are told where to add or delete it according to the steps, but here There are really two aspects of face setting that can cause website security problems.

Some people will say that how can a php.ini file have security problems? Is it possible that hiker will attack my php.ini file?

This is not true, but the operation mode will provide a window for hiker. Please see the following configuration steps.

Take PHP installed on Windows system as an exle. The settings of all versions of php.ini file are almost the same. First go to the official website to download the required PHP version, and then extract and rename it.

Suppose php7.4 is installed in the d-root directory of the server "target =" _blank "href =" http: / / undefined " gt; download the non thread safe (NTS) version of PHP program, extract it, rename it to the" PHP "folder, and copy it to the d-root directory.

Open the php.ini-development file under D: PHP, copy it and rename it to php.ini, and open the D: PHP php.ini file. The following is the complete configuration process.

1. Change short "open" tag = off to

short_open_tag = On

The effect of this modification is that some websites use template files such as lt? Gt; this kind of PHP code can ensure the normal execution of the code, which is also common in ECSHOP, dedecms, WordPress and other templates.

2. Change expose? PHP = on to

expose_php = Off

The function is to prevent PHP version number from being displayed for the sake of website security, so as to prevent other people from attacking websites against specific PHP version vulnerabilities. Some websites you use the webmaster tool to check, which web server and PHP version you use are clear at a glance. For specific PHP version vulnerabilities, hiker certainly knows. Although the hidden version number can not be said to solve the problem, it will increase the difficulty for hiker.

3. Look for the following code

; On windows:

; extension_dir = "ext"

Remove the semicolon in front of extension dir here, and change ext to the installation path of PHP, as shown below. Note that the slash should not be written backwards, because I installed PHP on disk D.

extension_dir = "D:phpext"

4. Find max? Execution? Time = 30, and change the number 30 to 300 or 1200. The function is the maximum execution time of each script, which is 30 seconds by default. It can solve the problem that the connection may always time out due to the network speed and the address of the server (such as the foreign host).

5. Search; cgi.force_redirect = 1, remove the previous semicolon and change the number 1 to 0. Cgi.force_redirect = 0 means to close the redirection execution PHP file. For security reasons, prevent other people from uploading the Trojan horse to execute, such as: your website URL / as = your website URL / SDF / muma.php, so the redirection PHP file is executable. After changing this configuration to 0, this type of redirection PHP file will not execute.

This is also the reason why some websites are always hung up. After modification, even if there is a security hole in the front desk of the website, the Trojan file is uploaded by hiker. In this way, the Trojan file will not run, so it is useless.

6. Find the code; CGI. Fix_pathinfo = 1 remove the semicolon and change the number 1 to 0. The function is to prevent parsing illegal PHP files. For exle, a PHP file under a picture like / a.jpg/1.php is illegal. Setting 0 is to prevent execution. This kind of Trojan disguised as a picture upload file has existed for a long time. It is forbidden to run this kind of file. Even if the Trojan is uploaded, it is useless because it is set not to run.

7. Find the code fastcgi. Impersonate = 1 to remove the previous semicolon. The function is that IIS or nginx uses the fastcgi method to parse PHP files. If you do not open it, you cannot run PHP programs. Apache does not need to open it.

8. Search cgi.rfc2616 ﹐ headers = 0 remove the semicolon and change 0 to 1. It means to tell PHP what kind of header to use and what is it? Like this: http / 1.1.

9. Search for upload? TMP? Dir =, delete the previous semicolon and add the path as follows:

upload_tmp_dir = D:phptemp

It means the temporary directory of uploaded files, which is used to store the temporary virtual directory of uploaded files on the website, but it will not really upload any files in it.

10. Search for the following codes, one line at a time, and remove the semicolon (semicolon means comment. If it is not effective, it will take effect):

extension=bz2

extension=curl

extension=gd2

extension=gmp

extension=mbstring

extension=php_mysql" target="_blank" href="http://undefined" rel="external nofollow" rel="external nofollow" rel="external nofollow" gt;mysql.dll

extension=mysqli

extension=pdo_mysql

11. Find date.timezone = delete the semicolon and change it to the following:

date.timezone = Asia/Shanghai

Pay attention to case, which means format time. Beijing time (East 8 area) is used by default, so that the server time is consistent with the program time. Otherwise, the time displayed in your post may be different from the actual time. If you don't set the time, it may be 8 hours different, or you can set it to date.timezone = PRC , set the time zone as China time zone, and PRC is the abbreviation of China time zone.

The above is the complete php.ini file configuration. There are really three settings that have something to do with the security of the website. Because this file is usually only set once and will not be changed later, some problems are not easy to find.

The above is the details of three settings in php.ini configuration that may cause website security problems. Do you understand? If you want to learn more, please pay attention to the host and refer to other related articles!

--------------------------------------------------------------
主机参考,收集国内外VPSVPS测评主机测评云服务器虚拟主机独立服务器,国内外服务器高性价比建站主机相关优惠信息@zhujicankao.com
详细介绍和测评国外VPS主机,云服务器,国外服务器,国外主机的相关优惠信息,商家背景,网络带宽等等,也是目前国内最好的主机云服务器VPS参考测评资讯优惠信息分享平台

这几篇文章你可能也喜欢:

本文由主机参考刊发,转载请注明:php.ini配置中有3处设置可能导致网站安全出问题 https://zhujicankao.com/12740.html

【腾讯云】领8888元采购礼包,抢爆款云服务器 每月 9元起,个人开发者加享折上折!
打赏
转载请注明原文链接:主机参考 » php.ini配置中有3处设置可能导致网站安全出问题
主机参考仅做资料收集,不对商家任何信息及交易做信用担保,购买前请注意风险,有交易纠纷请自行解决!请查阅:特别声明

评论 抢沙发

评论前必须登录!