Disable insecure/dangerous PHP functions
There are a number of things that must be understood here:
- List of dangerous PHP functions is located here: http://php.net/manual . Seriously, almost any PHP function can be dangerous given the right context.
strlen
and like are probably safe, but any function that talks to outside world can brings surprises if the rest of the code is not safe. - If you want to secure the site, the security should be throughout the code, just disabling some function here and there is not going to work, only going to blind you and lead to sloppy coding.
- There are capabilities in PHP that can assist you in writing more secure code, however they won't make secure code from insecure one. Look for open_basedir and allow_url_fopen as an example.
- You can use
disable_functions
to prohibit some actions that you consider dangerous, however only certain classes of actions can be inhibited this way. For example, you can disableexec,shell_exec,popen,passthru,proc_open,system,pcntl_exec
and this probably will prevent running external programs from your code - but most of the things done by these programs can be done by PHP means too. And trying to avoid things like "writing a file" probably won't work - you should do it via OS permissions, not via PHP. So, define what exactly do you want to prohibit first and then see if it's possible - while keeping in mind it may be impossible. - Read security chapter in the PHP manual. Read some PHP security books. Security is not done by just setting
security=On
inphp.ini
, unfortunately.
The only issues you have to worry about with this is disabling functions that are actually necessary. Disabling functions can definitely help prevent abuse. There are indeed functions such as exec, shell_exec, etc that should almost never be used in a shared hosting environment.
Rather then just relying on this function though, you should consider working on general security. For example, if you use suPHP or similar, you can prevent a whole bunch of attacks, and make securing things a bit easier. Disabling functions should be the last thing you worry about, your server should be secure before you worry about that.
If you are hosting a website or a web server then there are functions in PHP which can be use to exploit the web site or web server using PHP scripts and using this dangerous function hacker can get complete control over web server upto root level.
The List of Function dangerous in PHP development
"apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
How to Disable dangerous functions in PHP
- Locate your
"php.ini"
file. - then find
disable_functions=
then add all the above function in disable_functions like
disable_functions="eval,system"
^^ here i have disabled only 2 function you can disabled any numbers of function by giving list of function to disable_functions="list of function to be disable separated by comma"
If you want to what each above functions exactly mean search the above function here
http://in2.php.net/manual/en/function.system.php