Val () has a lot of lethality for PHP security in general, to prevent <?php eval ($_post[cmd]);? A little horse like > needs to be banned from breaking the door.
It's wrong to say that using disable_functions to ban Eval is a lot on the web.
In fact, eval () cannot be banned with disable_functions in php.ini because Eval () is a language construct and not a function
Eval is Zend, not php_function function;
How does PHP prohibit eval:
If you want to ban eval, you can use PHP extensions Suhosin
After installing the Suhosin
PHP.ini load comes in suhosin.so plus suhosin.executor.disable_eval = On
Suhosin installation method in Linux
| The code is as follows |
Copy Code |
| # CD/USR/LOCAL/SRC
# wget Http://cn.php.net/get/php-5.2.5.tar.gz/from/this/mirror
wget http://www.hardened-php.net/suhosin/_media/suhosin-patch-5.2.5-0.9.6.2.patch.gz//download patch from official
# tar ZXVF php-5.2.5.tar.gz
# gunzip suhosin-patch-5.2.5-0.9.6.2.patch.gz//Decompression patch
# CD php-5.2.5
# patch-p 1-i. /suhosin-patch-5.2.5-0.9.6.2.patch//To the PHP patch
#./buildconf--force//Be sure to perform this step.
# chost= "I686-pc-linux-gnu" cflags= "-o3-msse2-mmmx-mfpmath=sse-mcpu=pentium4-march=pentium4-pipe- Fomit-frame-pointer "cxxflags="-o3-msse2-mmmx-mfpmath=sse-funroll-loops-mcpu=pentium4-march=pentium4-pipe- Fomit-frame-pointer "./configure--prefix=/usr/local/php--with-apxs2=/usr/local/apache2/bin/apxs--with-zlib-dir- -with-bz2--with-tiff-dir--with-libxml-dir=/usr/local/libxml2--with-gd=/usr/local/gd2--with-freetype-dir-- With-jpeg-dir--with-png-dir--with-ttf--enable-mbstring--with-mysql=/usr/local/mysql--with-mysqli=/usr/local/ Mysql/bin/mysql_config--with-config-file-path=/etc--with-iconv--disable-ipv6--enable-static-- Enable-maintainer-zts--enable-memory-limit--enable-zend-multibyte--enable-sockets--enable-soap--enable-suhosin Configuration options
# make
# make Install
Restart Apachectl to view phpinfo information that appears
This server was protected with the Suhosin Patch 0.9.6.2
Copyright (c) 2006 hardened-php Project
Wait for a lot of suhosin information so you succeed. Oh.
By the way, it's also a way to install suhosin into a dynamic extension of PHP.
wget http://download.suhosin.org/suhosin-0.9.23.tgz
Tar zxvfsuhosin-0.9.23.tgz
CD suhosin-0.9.23
/usr/local/php/bin/phpize//This step cannot be saved
./configure--with-php-config=/usr/local/php/bin/php-config//must indicate here the absolute path where Php-config is located.
Make
Make install
Will prompt the compiled module to exist in the directory, remember it.
Installing Shared extensions:/usr/local/php/lib/php/extensions/no-debug-non-zts-20060613/
Then add one line of the following statement to the php.ini.
Extension=suhosin.so
Suhosin.executor.disable_eval = On |
What if you run eval for part of your business? If it is PHP 5.3+ and cgi/fastcgi mode, you can change the php.ini, you can make an exception to use eval
Action method:
| The code is as follows |
Copy Code |
Suhosin.executor.disable_eval = On
[path=/htdocs/www/ex1/]
Suhosin.executor.disable_eval = Off |
Finally restart the PHP-FPM can!
