PHPKonf Istanbul PHP Conference 2019 - Call for Papers
add a note add a note

User Contributed Notes 16 notes

pookey at pookey dot co dot uk
15 years ago
I have setup a guide to installing PHP with SuEXEC in such a way that shebangs (!#/usr/bin/php4) are not needed.  Hope this is of some help to you.

6 years ago

There was a serious vulnerability in certain CGI-based PHP setups that has gone unnoticed for at least 8 years.

For PHP this means that a request containing ?-s may dump the PHP source code for the page.

Make sure to update to current versions and/or use an .htaccess patch, both available here:

PHP 5.3.12 and PHP 5.4.2 Released:
martelli at geoserve dot com dot br
14 years ago
PHP CGI with VirtualHosts.

This is what I found out while trying to get php to work as CGI with Apache VirtualHosts.

By enabling 'force-cgiredirects', you *must*:
1) set 'cgi.fix_pathinfo=1' in php.ini
2) leave doc_root commented out (php.ini also)

If you miss item 1, the apache logs will show 'unexpected T_STRING' in the php binary.
If you miss item 2, you'll only see 'No input file specified.', instead of the expected output.

You can then turn on the php support for a particular vhost by defining:

Action php-script /cgi-bin/php

inside the corresponding <VirtualHost> directive.
steeven at kali dot com dot cn
17 years ago
suEXEC require CGI mode, and slow down the scripts. I did them like this:
1. Install php as DSO mode. (for max speed and low secure)
2. Make a seperate CGI install with --enable-force-cgi-redirect, place php to cgi-bin
3 For more secure with suEXEC, choose one of the following method:
3-1: Place a .htaccess file containing this to override main config:
AddType application/x-httpd-wphp php
Action application/x-httpd-wphp /cgi-bin/php
  All php files in subdirectory will be protected.
3-2: add following in httpd.conf:
AddType application/x-httpd-wphp sphp
Action application/x-httpd-wphp /cgi-bin/php
  then each sensitive php file should be renamed to .sphp

Add "php_value doc_root /home/user/html_docs" to each virtual host directive in httpd.conf
kstone at trivergent dot net
18 years ago
Better yet, use binfmt_misc:  (linux only)

echo :php3:E::php3::/usr/bin/php: > /proc/sys/fs/binfmt_misc/register

Eliminates the need for the #! at the top of the file.
michel dot jansens at ulb dot ac dot be
17 years ago
If you want to use suexec and reference your php interpreter via #!/usr/local/bin/php,  be shure to compile php WITHOUT  --enable-force-cgi-redirect.

This might seems obvious, but I spent 2 days on this :-(
ruben at puettmann dot net
16 years ago
To use php-cgi with suexec it will be nice that each virtual host has ist's own php.ini. This goes with :

SetEnv PHPRC /var/www/server/

But suexec will kill this enviromet cause It don't know that it is "save" so you must edit the suexec.c for compiling ....
yohgaki at hotmail dot com
17 years ago
If you care about security, you are better of setting

register_globals = off
enable_track_vars = on (Always on from PHP4.0.3)

Default setting for variable order is

Imagine if you are rely on ENV VAR but it was orver written with GET/POST/COOKIE vars?
phil dot ross at gmail dot com
13 years ago
In response to grange at club-internet dot fr:

There are a couple of errors in the mod_rewrite directives given. I found that the following works:

RewriteEngine on
RewriteCond %{ENV:REDIRECT_STATUS} !200
RewriteRule ^cgi-bin/php.cgi - [F]

I removed the = from the RewriteCond and took out the leading / from the RewriteRule.
goran_johansson at yahoo dot com
15 years ago
A tip for Windows-users

Just a tip for you so do not do the same mistake as I did:
I just found out that PHP first seem to look in the php-directory for php.ini, and if that file does not exist, it looks in the Windows directory.
I renamed the file php.ini-dist to php.ini and copied it to my Windows directory, and then I modified the infamous "cgi.force_redirect = 0" in the php.ini file located in the Windows directory, to make it work. But it did not because it reads from the "original" php.ini - So when I deleted this php.ini things started working again
Craig Buchek
11 years ago
NOTE: Running PHP as a CGI program will change the value of $_SERVER['SCRIPT_NAME']. When running via the (normal) mod_PHP mechanism, it will be set to the name of (actually, path to) the PHP script that's running. When running via CGI, it will instead point to the path of the CGI binary.
geeky at geeky dot de
15 years ago
a replacement for suexec is suphp (//

"suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter." (from the website)
12 years ago
One of the most common reasons why you get 'No input file specified' (AKA 'the second most useful error message in the world') is that you have set 'doc_root' (in php.ini) to a value which is to the 'DocumentRoot' defined in the apache configuration.

This is the same for other webservers. For example, on lighttpd, make sure the 'server.document-root' value is the same as what is defined as 'doc_root' in php.ini.
kschroeder at mirageworks dot com
13 years ago
I have noticed that some people have noted that running PHP as a CGI program can run slowly compared with a compiled in module.  Some have noted that they want to use FastCGI but are hesitant.  I found that using the Apache 2's CGID module was a great way to speed up performance almost to the same level as an "so"-installed PHP module but you get the added benefit of running each virtual host under it's own user and group. 

In my testing I got 44 pages per second using PHP as a module and I got roughly the same performance (within 5%) running PHP as a CGI program through CGID.

CGID is also really easy to set up.  Just add --enable-cgid to your Apache configure command and you're good to go.  Just set up PHP as a CGI normally.

I'm sure that there's extra RAM used for this method but RAM is as cheap as borscht anyways so it shouldn't be a major factor when trying to speed up PHP CGI.
14 years ago
PHP works with Apache and suEXEC like this:
(Assuming that suEXEC ist allready installed and working)

Install PHP as CGI binary (e.g. in /usr/local/bin/php)
(compile with --enable-force-cgi-redirect)

Create a Link inside cgi-bin directory to make php-cgi accessable:
cd /usr/local/apache/cgi-bin
ln /usr/local/bin/php php

Edit your httpd.conf file:
AddHandler php4-script .php
Action php4-script /cgi-bin/php

<VirtualHost 123.456.789.0:80>
    User exampleuser
    Group examplegroup

Restart Apache

PHP-scripts are now called under the user-id of exampleuser and group-id of examplegroup.
matled at gmx dot net
16 years ago
If you are using php per cgi and have additionally mod_gzip enabled you have to disable mod_gzip for the php cgi binary to use --enable-cgi-redirect. mod_gzip sets the REDIRECT_STATUS always to 200 which makes it impossible for the php binary to know when it was called directly or when it was called by a redirect.
To Top
  • 候选案例:国际甲状腺知识宣传周义诊 2018-12-13
  • 大家都误解蔡英文了?台专家酸讽:台湾的问题出在2300万人身上 2018-12-13
  • 外国领导人祝贺我新一届领导人 2018-12-13
  • 浙江一母亲去医生儿子那看病 监控看了让人落泪 2018-12-12
  • 回复@老老保老张工:计划不要批准?那不还是你自己做主?有必要走形式么? 2018-12-12
  • 一语惊坛(6月15日):人民日报和共和国共同成长。 2018-12-11
  • 围挡施工一年多 据说完工尚无期(图) 2018-12-11
  • 12306网站用户信息外泄?铁总深夜“辟谣” 2018-12-11
  • 第二届加强创新和社会管理案例理论论坛暨社会管理创新案例颁奖典礼 2018-12-10
  • 中国共产党第十九次全国代表大会 2018-12-10
  • 女性之声——全国妇联 2018-12-10
  • NBA总决赛4比0横扫骑士问鼎 4年夺3冠勇士王朝! 2018-12-09
  • 图解:关于中国梦,习近平总书记这十句话直抵人心 2018-12-09
  • 【十九大·理论新视野】动漫:“美丽中国”如何绘就 2018-12-09
  • 宁波制造分享俄罗斯世界杯经济蛋糕 2018-12-08
  • 52| 167| 586| 875| 391| 766| 911| 698| 543| 197|