Abstract: The security environment discussed in this article is in Linux+Apache+Mysql+PHP. Security issues beyond this scope are beyond the scope of this article
The security environment discussed in this article is Linux+Apache+Mysql+PHP. Security issues beyond this scope are beyond the scope of this article
Apache Server security Settings
1. Run as the Nobody user
Typically, Apache is installed and run by Root. If the Apache Server process has Root privileges, it poses a serious security threat to the system. Ensure that the Apache Server process is run as the user with the lowest possible permissions. You can safely run Apache as the Nobody user by modifying the following options in the httpd.conf file.
User nobody
Group# -1
2. Permissions for the ServerRoot directory
To ensure that all configurations are appropriate and secure, access to the Apache home directory needs to be strictly controlled so that non-superusers cannot modify the contents of the directory. The Apache home directory corresponds to the Server Root control item in the Apache Server configuration file httpd.conf.
Server Root /usr/local/apache
3. SSI configuration
Add the Includes NO EXEC option to the Options directive in the access.conf or httpd.conf configuration file to disable the execution function in Apache Server. Avoid exposing the server system to the public by directly executing executing programs in the Apache server.
Options Includes Noexec
4. Prevent users from modifying system Settings
Perform the following operations in the Configuration file of the Apache server to prevent users from creating or modifying. Htaccess files to prevent users from exceeding specified system security features.
AllowOveride None
Options None
Allow from all
You can then configure the specific directories appropriately.
Change the default access feature of the Apache server
The default Settings of Apache provide only a certain level of security. If the server can find the file using normal mapping rules, the client will retrieve the file, such as http://local host/~ root/, allowing the user to access the entire file system. Add the following to the server file:
order deny,ellow
Deny from all
Default access to the file system is disabled.
6. Security considerations for CGI scripts
CGI scripts are a series of programs that can be run through a Web server. To ensure the security of the system, ensure that the CGI author is trusted. For CGI, it is best to restrict it to a specific directory, such as cgi-bin, for easy management. In addition, we should ensure that the files under the CGI directory are not writable, so as to avoid some fraudulent programs residing or mixed with them. If the user can provide a good security CGI program module as a reference, may reduce a lot of unnecessary trouble and security risks; Remove all scripts for non-business applications in the CGI directory to prevent abnormal information from being leaked.
7. SSL link encryption
These common measures can provide a basic secure operating environment for the Apache Server. Obviously, the specific implementation needs to be further refined and decomposed to develop a security configuration scheme that meets the actual application.
PHP security Settings
The server cannot prevent all security issues, such as program bugs, user input form issues, PHP file permissions, etc. Also can pass some means to confuse hacker or ulterior motive person.
1. Program code vulnerability
The major weaknesses of many PHP programs are not the PHP language itself, but the result of poor security awareness among programmers. Therefore, it is important to keep an eye out for possible problems with each piece of code to discover the impact of incorrect data being committed.
unlink ($evil_var);
fwrite (
system ($evil_var);
exec ($evil_var);
You must always pay attention to your code to ensure that every variable submitted from the client is checked properly
Look it up and ask yourself the following questions:
Does this script affect only the expected files?
Does abnormal data work when submitted?
Can this script be used for unplanned purposes?
Can this script be combined with other scripts to do bad things?
Are all transactions adequately documented?
Ask yourself these questions as you write code, or you may have to rewrite it later for added security. Paying attention to these issues may not guarantee the security of the system completely, but it can at least improve security.
You can also consider turning off register_globals, magic_quotes, or other Settings that make programming easier but confuse the validity, origin, and value of a variable.
2. User input form problems
Validate any data entered by the user and keep your PHP code secure.
Note 1: JS is designed to improve the experience of visiting users, not a validation tool. Any visiting user could, or could, inadvertently disable the execution of the client script, skipping this layer of validation. So we have to verify this data on the PHP server-side program.
Note 2: Do not use the $_SERVER[‘HTTP_REFERER’] supervariable to check the source of the data. Even a novice hacker would use a tool to falsify this variable. If possible, use Md5, or rand functions to generate a token and verify that the token matches the source.
3. PHP file permissions
PHP is designed to access the file system at the user level, so it’s entirely possible to write a piece of PHP code that reads system files like /etc/passwd, changes network connections, sends a lot of print tasks, and so on. Therefore, you must ensure that your PHP code reads and writes to the appropriate files. Take a look at the code below. The user wants to delete a file in his home directory. Assume that the file system is managed through a Web interface, so the Apache user has the right to delete files in the user directory.
unlink (“
echo “$file_to_delete has been deleted!” ;
Since the username variable can be submitted from the user form, you can submit someone else’s username and filename and delete the file. In this case, consider other ways of authentication:
– Give PHP web users very limited permissions. -Check all submitted variables. – The following is more secure file name and variable verification and checking:
if (! ereg(‘^[^./][^/]*
die(‘bad filename’);
if (! ereg(‘^[^./][^/]*
die(‘bad username’);
4. Hide the PHP extension
In general, enhancing security through concealment is considered to be of little use. But in some cases, it’s worth adding as much security as possible.
There are a few simple ways to help hide PHP, which can make it harder for attackers to discover system weaknesses. Setting expose_php = off in the php.ini file reduces the amount of useful information available to them.
Another strategy is to have the Web server parse different extensions in PHP. Either through.htaccess files or Apache configuration files, you can set file extensions that can mislead attackers:
Make PHP look like any other programming language
AddType application/x-httpd-php .asp .py .pl
Makes PHP look like an unknown file type
AddType application/x-httpd-php .bop .foo .133t
Make PHP code look like HTML pages
AddType application/x-httpd-php .htm .html
For this method to work, you must change the PHP file extension to the one above. This improves security through hiding, although defenses are low and have some drawbacks.
Mysql database security Settings
PHP by itself does not secure a database. The following sections only cover basic database access and manipulation using PHP scripts. Remember a simple rule: go deep on defense. The more you protect a database, the harder it is for an attacker to access and use the information in the database. Properly designed and applied databases can reduce the fear of being attacked.
1. Database design problems
Applications should never use database owner or superuser accounts to connect to a database, because these accounts can perform arbitrary actions, such as modifying the database structure (such as deleting a table) or emptying the entire database. The user Settings in the screenshot below are dangerous.

A different database account should be created for each aspect of the program and given very limited permissions on database objects. Assign only the permissions necessary to complete its functions, so that the same user does not have to do what another user does. In this way, even if the attacker uses the program vulnerability to get access to the database, it can only do the same scope of influence as the program.
2. The database connection is faulty
Establishing the connection over SSL encryption can increase the security of client-server communication, or SSH can be used to encrypt the connection between the client and the database. If these techniques are used, it is very difficult for an attacker to monitor server traffic or get information from the database.
3. Encrypt database data
SSL/SSH can protect data exchanged between the client and server, but cannot protect existing data in the database. SSL is simply a protocol for encrypting network traffic.
If an attacker gains direct access to the database (bypassing the Web server), sensitive data can be exposed or abused unless the database itself protects the information. Encrypting data within a database is an effective way to reduce this risk, but few databases provide these encryption features.
A simple solution to this problem is to create your own encryption mechanism and use it in your PHP program. The most common example is to store the MD5 hash of the password in the database instead of the plain text password.
$query = sprintf(“INSERT INTO users(name,pwd) VALUES(‘%s’,’%s’);” .
connection, $query);
$query = sprintf(“SELECT 1 FROM users WHERE ,
connection, $query);
if (pg_num_rows($result) > 0) {
echo ‘Welcome, $username! ‘;
} else {
echo ‘Authentication failed for $username.’;
4. SQL injection problems
Direct SQL command injection is a common technique used by attackers to create or modify existing SQL statements, so as to obtain hidden data, overwrite key values, or even execute database host operating system commands. This is achieved by the application taking user input and combining it with static parameters into an SQL query. Here are some real examples.
$query = “SELECT id, name, inserted, size FROM products
WHERE size = ‘$size’
limit, $offset;” ;
conn, $query);
You can add another SELECT query to the original query to get the password: union select ‘1’, concat(uname||’-‘||passwd) as name, ‘1971-01-01’, ‘0’ from usertable; If the above statements (using ‘and -) were added to any of the variables in $query, you would be in trouble.
These attacks are always based on undigging insecure code. So never trust input data, especially from clients, including checkboxes, form hiding fields, and cookies. As in the first example above, even a normal query can cause disaster.
Never use a superuser or owner account to connect to a database. Use an account with restricted permissions. Check that the input data has the expected data format. PHP has many functions that can be used to check input, ranging from simple variable functions and character type functions (such as is_numeric(), ctype_digit()) to complex Perl-compatible regular expression functions.
If the program is waiting for a number to be entered, consider using is_numeric() to check, or setType () directly to convert it, or sprintf() to format it as a number.
A more secure way to prevent SQL injection from paging:
settype($offset, ‘integer’);
offset;” ;
$query = sprintf(“SELECT id, name FROM products ORDER BY name LIMIT 20 OFFSET %d;” .
Original text: the SDK. Cn/news / 2717