Some security settings of PHP


Happy new year to you guys. I haven’t updated my blog for another half month. Update is also more casual, think of what to write something, convenient and everyone work with learning summary.

Recently, I talked about PHP security related issues with my colleagues and recorded some experience.

Due to many reasons of script language and early version design, there are many security risks in PHP project. From the perspective of configuration options, you can do the following optimization.

1. Block PHP error output.
In / etc/ php.ini (default profile location), change the following configuration value to off


Do not output the error stack information directly to the web page to prevent hackers from using the relevant information.

The right approach is:
Write the error log to the log file for troubleshooting.


2. Block PHP version.
By default, the PHP version will be displayed in the return header, such as:
Response Headers X-powered-by: PHP/7.2.0

take php.ini The following configuration value in is changed to off



3. Turn off global variables.
If you turn on global variables, the data submitted by some forms will be automatically registered as global variables. The code is as follows:

If the global variable is enabled, the server-side PHP script can use $username and $password to get the user name and password, which will cause great danger of script injection.

The opening method is php.ini , amend to read:


It is recommended to close, with the following parameters:


When it’s closed, you can only$_ POST、$_ GET、$_ Obtain the relevant parameters in request.


4. File system restrictions
You can open_ Basedir to restrict the system directories that PHP can access.

If you do not restrict the use of the following script code( hack.php )The system password can be obtained.

<?php echo ('/etc/passwd');


When it is set, an error will be reported and relevant information will not be displayed, so that system directory B will not be accessed illegally:

PHP Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www) in /var/www/hack.php on line 3

Warning: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/var/www) in /var/www/hack.php on line 3 PHP Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/hack.php on line 3

Warning: file_get_contents(/etc/passwd): failed to open stream: Operation not permitted in /var/www/hack.php on line 3

The setting method is as follows:



5. Prohibit remote resource access.



Other third party security extensions
Suhosin is a protection system for PHP programs. It is designed to protect servers and users from known or unknown defects in PHP programs and PHP core (it feels practical and can resist some small attacks). Suhosin has two independent parts, which can be used separately or jointly.

The first part is a patch for PHP core, which can resist the weakness of buffer overflow or format string (this is necessary!) ;

The second part is a powerful PHP extension (the extension mode is very good, easy to install…) , including all other protection measures.

Install extensions

tar zxvf suhosin-
cd suhosin-
./configure  --with-php-config=/usr/local/bin/php-config
make install
stay php.ini Join below that will do



  1. Simulator protection mode
  2. Add two functions sha256() and sha256_ File () to the PHP core
  3. All platforms, join crypt_ Blowfish in function crypt()
  4. Turn on transparent protection for phpinfo() page
  5. SQL database user protection (test phase)

Runtime protection

  1. Encrypt cookies
  2. Prevent different types of inclusion vulnerabilities (do not allow remote URL inclusion (black / white list); do not allow uploaded files; prevent directory traversal attacks)
  3. Allow preg to be disabled_ replace()
  4. Allow eval() function to be disabled
  5. Prevent infinite recursion by configuring a maximum execution depth
  6. Support black and white list configuration for each Vhost
  7. Provide a separate black and white list of functions for code execution
  8. Prevent HTTP response splitting vulnerability
  9. Prevent script control memory_ Limit option
  10. Protect PHP’s super globals, such as extract(), import_ request_ vars()
  11. Prevent new line attack of mail() function
  12. Prevent preg_ Replace() attack

Session protection

  1. Encrypt session data
  2. Prevent session hijacking
  3. Prevent super long session ID
  4. Prevent malicious session ID

The data in session is usually stored in plaintext on the server. Here, encryption and decryption are performed on the server$_SESSION。 In this way, when the session handle is stored in Memcache or database, it will not be easily broken. In many cases, our session data will store some sensitive fields.

This feature is enabled by default. You can also use the php.ini To modify:

suhosin.session.encrypt = On
suhosin.session.cryptkey = zuHywawAthLavJohyRilvyecyondOdjo
suhosin.session.cryptua = On
suhosin.session.cryptdocroot = On

;; IPv4 only
suhosin.session.cryptraddr = 0
suhosin.session.checkraddr = 0


Cookie encryption

The HTTP header of the cookie in the client browser is also clear text. By encrypting cookies, you can protect your application against many attacks, such as

  • Cookie tampering: an attacker may try to guess other reasonable cookie values to attack the program.
  • Use cookies across applications: improperly configured applications may have the same session store. For example, if all sessions are stored in the / tmp directory by default, the cookies of one application may never be reused for another application as long as the encryption key is different.

Cookie encryption in php.ini Configuration in:

suhosin.cookie.encrypt = On

;; the cryptkey should be generated, e.g. with 'apg -m 32'
suhosin.cookie.cryptkey = oykBicmyitApmireipsacsumhylWaps1
suhosin.cookie.cryptua = On
suhosin.cookie.cryptdocroot = On

;; whitelist/blacklist (use only one)
;suhosin.cookie.cryptlist = WALLET,IDEAS
suhosin.cookie.plainlist = LANGUAGE

;; IPv4 only
suhosin.cookie.cryptraddr = 0
suhosin.cookie.checkraddr = 0
Blocking Functions

##The default PHP session is saved in the TMP path
ll  -rt /tmp | grep sess
##View the data of a session when the extension is not enabled
cat  sess_ururh83qvkkhv0n51lg17r4aj6
//Records are clear text
##View the data of a session after the extension is enabled
cat  sess_ukkiiiheedupem8k4hheo0b0v4
//The record is ciphertext
We can see the importance of encryption to security

Blocking function

White list

##Explicitly specify the specified whitelist list
suhosin.executor.func.whitelist = ,,
suhosin.executor.eval.whitelist = ,,

eval('echo htmlentities("");');


##Explicitly specify the specified blacklist list
suhosin.executor.func.blacklist = ,,,,,,,,hail,,
suhosin.executor.eval.whitelist = ,,,,,,,,hail,,
View the black and white list of illegal calls through the log

suhosin.simulation = 1
suhosin.. = 511 = /tmp/suhosin-alert.

Other configuration items

suhosin.executor.include .max_ Maximum depth of traversal directory expansion, which can shield switching to illegal path
suhosin.executor.include . whitelist allowed URLs, separated by commas
suhosin.executor.include . blacklist forbidden URLs, separated by commas
suhosin.executor.disable_ Eval = on disable Eval function

suhosin.upload.verification_ Script upload file check script to check whether the uploaded content contains webshell features

With suhosin, you can get some error logs. You can put these logs in the system log or write them to any other log file at the same time;

It can also create blacklist and whitelist for each virtual host;

You can filter get and post requests, file uploads, and cookies;

You can also send encrypted sessions and cookies, and you can set storage lines that cannot be transferred, etc;

Unlike the original PHP enhanced patch, suhosin is compatible with third-party extensions like Zend optimizer.