Stack Overflow
Stack Overflow

Questions tagged [mod-php]

PHP installed as an Apache module

There are (at least) two ways of running PHP, when working with Apache :

  • Using CGI : a PHP process is launched by Apache, and it is that PHP process that interprets PHP code -- not Apache itself
  • Using PHP as an Apache module (called mod_php) : the PHP interpreter is then kind of "embedded" inside the Apache process : there is no external PHP process -- which means that Apache and PHP can communicate better.

When PHP is used as an Apache module it inherits Apache's user permissions (typically those of the "nobody" user). This has several impacts on security and authorization. For example, if you are using PHP to access a database, unless that database has built-in access control, you will have to make the database accessible to the "nobody" user. This means a malicious script could access and modify the database, even without a username and password. It's entirely possible that a web spider could stumble across a database administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, .htaccess files, etc. and include that code as part of your PHP scripts.

Often, once security is established to the point where the PHP user (in this case, the apache user) has very little risk attached to it, it is discovered that PHP is now prevented from writing any files to user directories. Or perhaps it has been prevented from accessing or changing databases. It has equally been secured from writing good and bad files, or entering good and bad database transactions.

A frequent security mistake made at this point is to allow apache root permissions, or to escalate apache's abilities in some other way.

Escalating the Apache user's permissions to root is extremely dangerous and may compromise the entire system, so sudo'ing, chroot'ing, or otherwise running as root should not be considered by those who are not security professionals.

There are some simpler solutions. By using open_basedir you can control and restrict what directories are allowed to be used for PHP. You can also set up apache-only areas, to restrict all web based activity to non-user, or non-system, files.

70 questions
1
vote
1 answer

Limit of log line written to Apache Errorlog from mod php error_log

I have a simple setup of apache 2.4 + mod_php as web server. The error_log directive in php.ini is not set so it takes on the default value of 0. The behaviour is covered in this (https://www.php.net/manual/en/function.error-log.php), to summarise…
tinus91
  • 247
  • 1
  • 6
  • 22
1
vote
1 answer

Set memory_limit to PHP FPM with .htaccess

I need to modify in the htaccess the memory_limit, max_input_vars and max_execution_time of php. In order not to modify the global configuration of php on the server. In my virtualhost, I have this configuration: SetHandler…
Jatniel
  • 1,967
  • 2
  • 19
  • 27
1
vote
0 answers

Apache loads forever even if the PHP file is removed

We have a website that, in a certain set of circumstances, crashes and the page is blank and loads forever. What I don't understand is that once that crash has happened I can close the browser, physically remove index.php from the file system, then…
Geat
  • 1,169
  • 6
  • 17
1
vote
0 answers

Why the directives 'Configuration File (php.ini) Path' & 'Loaded Configuration File' from o/p of phpinfo() are showing entirely different locations?

I'm using a machine running on Windows 10 Home Single Language 64-bit Operating System I've installed PHP 7.2.9 and Apache/2.4.34 (Win32) using the latest version of XAMPP installer tool on this machine. PHP is installed as an Apache SAPI. I checked…
PHPLover
  • 1
  • 51
  • 158
  • 311
1
vote
1 answer

httpd-mmn version conflict when installing php 7.2?

I am trying to install php 7.2 on centos 6, and it results in the following error. I followed the steps as explained in: LINK. From other posts I understand it's probably because I build httpd 2.4 from source. But I can't find a good solution how to…
edbras
  • 4,145
  • 9
  • 41
  • 78
1
vote
0 answers

Apache 2.4 - Debian 8 - vHost - deactivate cgi-fcgi / php-fpm use mod_php

I try to set via vHost that cgi-fcgi / php-fpm are not used. So in the other vHost i have that. SetHandler php5-fastcgi Action php5-fastcgi /fastcgiphp Options +ExecCGI What i have…
user1898361
  • 55
  • 6
1
vote
1 answer

iconv utf-8 to ascii transliteration in mod_php/apache2

I need to compare strings and match names to one another even if they are not spelled the same way. For example DÉSIRÉ-Smith should match Desireesmith as well as Desiree or Desi'ree Smith So I had the following approch which worked perfectly in the…
The Surrican
  • 29,118
  • 24
  • 122
  • 168
1
vote
1 answer

Mac homebrew apache 2.2 php5_module segmentation fault

I've been moving my apache implementation from the Mac's builtin apache to apache installed with homebrew. This was going smoothly but when I went to test my PHP driven site it was clear that PHP wasn't running (apache itself worked and served the…
lostphilosopher
  • 4,361
  • 4
  • 28
  • 39
1
vote
1 answer

Using spdy with mod_php

The documentation for SPDY says it is not compatible with mod_php as its not thread safe: https://developers.google.com/speed/spdy/mod_spdy/php Much like the Apache Worker MPM, mod_spdy is a multithreaded module, and processes multiple SPDY…
DD.
  • 21,498
  • 52
  • 157
  • 246
1
vote
2 answers

Apache kills long time running process

On linux apache server ( ubuntu 14.04 lts, apache 2.4.7 with mpm_prefork and mod_php) I have PHP scripts that takes a long time. These are killed by apache. We have tune php setting (max_execution_time, set_time_limit...) We haven't any trace in log…
Inexine
  • 11
  • 2
1
vote
1 answer

PHP code is shown in browser as plain-text and not processed

I'm new to both PHP and developing on Mac OS X. I have the following code on the front-end (browser on my laptop): $('form').on('submit', function(e) { $.post( 'save.php', $(this).serialize(), function(response) { console.log( response…
Ege Ersoz
  • 6,461
  • 8
  • 34
  • 53
1
vote
2 answers

Disable MOD_PHP in vhosts and activate suphp

I need to desactivate mod_php on a vhost and let it working for other vhosts, I need to disable it in order to activate suphp. here is the vhost config : Options +Indexes ServerName www.native.org ServerAlias native.org …
Ali Mezgani
  • 1,229
  • 3
  • 13
  • 19
1
vote
1 answer

Running php with FastCGI under a single virtual host, and mod_php for all others?

I have some php scripts that need to run as another user than the apache user. In order to this, the scripts need to be run using FastCGI My plan is to use FastCGI in only a single virtual host. Is it possible to setup FasCGI only under a single…
Jeffrey Ray
  • 1,244
  • 2
  • 9
  • 20
1
vote
4 answers

How would I perhaps reduce the processor footprint of a php script?

I'm attempting to make a php script that can load the current weather forecast and it uses a bit of XML pre-processing to digest the input, however it is accessed quite often and reloaded. The problem begins with my current host, which yes I do…
JonnyLitt
  • 763
  • 6
  • 11
0
votes
1 answer

Apache php library caching

If I running a php script in Apache that "require"s a php file, is there a way that I can keep that in memory so that it doesn't need to be pulled from disk each time?
ckliborn
  • 209
  • 1
  • 2
  • 5
1 2
3
4 5