本文共 3644 字,大约阅读时间需要 12 分钟。
php8和php5、php6、php7都需要安装对应版本的 Microsoft Visual C++运行库
,左侧说明里有运行库下载路径:
VC15 & VS16
More recent versions of PHP are built with VC15 or VS16 (Visual Studio 2017 or 2019 compiler respectively) and include improvements in performance and stability. -The VC15 and VS16 builds require to have the Visual C++ Redistributable for Visual Studio 2015-2019 or installed
VS16 x64 Non Thread Safe (2020-Nov-24 22:43:38)
,注意vs16
字样VC15 x64 Non Thread Safe (2020-Nov-24 15:08:39)
,注意vc15
字样 安装运行库并且重启服务器 如果标题类似 php-5.3.4-Win32-VC6-x86.zip
,那就意味着需要安装vc6运行库
,去微软官网找吧。
将下载好的php8压缩包解压后放置于相关目录。个人经验建议创建类似这样的目录c:/php/php8.0
,下次升级php的时候可以再建目录c:/php/php8.3
,这样切换php相对而言比较清晰。
date.timezone = Asia/Shanghai
extension_dir = "c:\php\php8.0\ext"
;
注释标记即可extension=curlextension=gdextension=mbstringextension=mysqliextension=opensslextension=pdo_mysql
session.save_path = "d:\temp\phpSession"
cgi.fix_pathinfo = 0
、fastcgi.impersonate = 1
、cgi.force_redirect = 0
、expose_php = Off
可以看一下原文,更好理解这四个设置的作用。; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting; of zero causes PHP to behave as before. Default is 1. You should fix your scripts; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.; http://php.net/cgi.fix-pathinfocgi.fix_pathinfo = 0; FastCGI under IIS supports the ability to impersonate; security tokens of the calling client. This allows IIS to define the; security context that the request runs under. mod_fastcgi under Apache; does not currently support this feature (03/17/2002); Set to 1 if running under IIS. Default is zero.; http://php.net/fastcgi.impersonatefastcgi.impersonate = 1; cgi.force_redirect is necessary to provide security running PHP as a CGI under; most web servers. Left undefined, PHP turns this on by default. You can; turn it off here AT YOUR OWN RISK; **You CAN safely turn this off for IIS, in fact, you MUST.**; http://php.net/cgi.force-redirectcgi.force_redirect = 0; Decides whether PHP may expose the fact that it is installed on the server; (e.g. by adding its signature to the Web server header). It is no security; threat in any way, but it makes it possible to determine whether you use PHP; on your server or not.; http://php.net/expose-phpexpose_php = Off
以往都是设置cgi.fix_pathinfo = 1
,但现在发现有重大漏洞,原因举例:
当访问www.xx.com/phpinfo.jpg/1.php这个URL时,$fastcgi_script_name会被设置“phpinfo.jpg/1.php”,然后构造成SCRIPT_FILENAME(绝对路径)传递给PHP CGI,如果开启了cgi.fix_pathinfo=1选项(这个默认值就是1,所以没有设置过就是开启),那么就会触发在PHP中的如下逻辑:
PHP会认为SCRIPT_FILENAME(绝对路径)是phpinfo.jpg,而1.php是PATH_INFO,所以就会phpinfo.jpg作为PHP文件来解析了. 也是一个逻辑问题,所以说我们只需要在正常的.jpg后面加/.php就可以成功的绕过解析
《》
《》目录权限
如果提示无法运行程序,可以尝试修改一下目录权限其它设置
以上配置仅为最基本的安全运行配置,如果在实际开发时,可能需要改变其它配置,例如改变上传文件的大小、响应等待时间等等。打开iis界面,选择 处理程序映射
- 添加模块映射
,按照下图操作,注意可执行文件是php-cgi.exe
是
即可。 如果上一步选择了是
,那么这里就已经设置好了。
添加默认的php文档,一般是index.php
、default.php
。
Xsdf2dm.php
。 在根目录下新建一个index.php
文件查看配置是否正确,代码如下:
实际运行时记得删除本文件,否则太暴露了~~
先在父级设置好所有的php版本
然后在不同的域名目录下设置web.config
,内容参考如下:
经测试不写<remove name="php7.0" />
和<remove name="php8.0" />
,只写add
也是能成功运行的,但目前还没研究过是否会有问题,如果谁有错误出现可以留言。
参考:
转载地址:http://lxkpi.baihongyu.com/