Most PHP programmers don't understand how to deploy safe code

If your website is still based on 777 As permission , Then your server will be open to anyone , Anyone can execute scripts in the directory .

I have seen some outsourcing projects of others , Unexpectedly, the permissions of the whole project are set to 777 , In fact, it is very terrible , Hackers can upload files to any directory , And execute the file .

This is terrible , Some programmers can use some tools to scan for vulnerabilities , Like a lot of php The programmer said in his resume , Cracked php, Implant the back door, etc , It's all because of the early php Low threshold for programmers , Weak awareness of safety , Many websites can get Shell.

How to set it up correctly php Running directory ？ Let me summarize some methods , Share with you .

Set the owner of the directory

php The program is generally for nginx perhaps apche Called , So the system will have a www（ Depending on the situation , Some are www-data） Of users and user groups

sudo chown -R www-data:www-data /path/to/your/laravel/root/directory

But if we use php artisan command , Or when you want to use FTP Transfer files to the server , Setting permissions like this will result in an error , Because the permission of this directory belongs to www-data:www-data Users and user groups . You should add to web In the user group of .（ubantu It's called ubantu,vagrant It's called vagrant）

sudo usermod -a -G www-data ubuntu

Set the permissions

First of all, restore your original program

to php Read and write permissions required by the framework .

Laravel：

sudo chgrp -R www-data storage bootstrap/cache
sudo chmod -R ug+rwx storage bootstrap/cache

If it is Tp frame ：

sudo chgrp -R www-data runtime
sudo chmod -R ug+rwx runtime

So your php The framework is relatively safe .

Upload permission

Some of our small programs need to upload pictures or files to the server （ But it is recommended to upload to OSS Or a third-party storage scheme such as seven cows .）

Prevent the uploaded program from being attacked by malicious programs , We can do it in Nginx perhaps Apache Refuse to run php Script

Nginx：

location ~ ^/(uploads|assets)/.*\.(php|php5|jsp)$ {
      
      deny all;
} 

Apache：

RewriteEngine on RewriteCond % !^$
RewriteRule uploads/(.*).(php)$ – [F]

This is so , Your program is covered with a thick shield