Home > PHP > PHP Security – Disabling potentially harmful functions

PHP Security – Disabling potentially harmful functions

September 3rd, 2009 Leave a comment Go to comments

PHP Security – Disabling potentially harmful functions

Most instances of hacked PHP web-servers I’ve seen have been exploited by some hole in an application or some other way to upload bad PHP code. These PHP scripts run malicious code through the PHP functions that execute commands directly on the server. This can easily be countered by disabling those functions.

Just use the disable_functions configuration option in your global php.ini file:

disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, exec, fputs, fwrite, highlight_file, passthru, php_uname, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system, eval"

You cannot set the disable_functions through set_ini() (see: http://www.php.net/manual/en/ini.list.php). So the PHP configuration modifying functions can be left enabled without risk. The code above also blocks some other potentially harmful functions.

Categories: PHP Tags: , , ,
  1. No comments yet.
  1. No trackbacks yet.