Some PHP dangerous functions that need to be disabled (disable_functions)

Source: Internet
Author: User
Tags phpinfo symlink syslog

Some PHP dangerous functions that need to be disabled (disable_functions) Sometimes in order to be safe we need to ban some PHP dangerous functions, arrange the following friends can refer to the following
Phpinfo ()
Function Description: Output PHP environment information and related modules, WEB environment and other information.
Hazard Rating: Medium

PassThru ()
Function Description: Allows an external program to execute and echo output, similar to exec ().
Hazard Rating: High

EXEC ()
Feature Description: Allows an external program (such as a UNIX shell or CMD command, etc.) to be executed.
Hazard Rating: High

System ()
Function Description: Allows an external program to execute and echo output, similar to PassThru ().
Hazard Rating: High

Chroot ()
Function Description: Can change the working root directory of the current PHP process, only if the system supports CLI mode
PHP to work, and the function is not available for Windows systems.
Hazard Rating: High

Scandir ()
Feature Description: Lists the files and directories in the specified path.
Hazard Rating: Medium

CHGRP ()
Function Description: Change the user group to which the file or directory belongs.
Hazard Rating: High

Chown ()
Function Description: Change the owner of the file or directory.
Hazard Rating: High

Shell_exec ()
Function Description: Executes the command through the shell and returns the execution result as a string.
Hazard Rating: High

Proc_open ()
Function Description: Executes a command and opens the file pointer for reading and writing.
Hazard Rating: High

Proc_get_status ()
Function Description: Gets information about the process opened using Proc_open ().
Hazard Rating: High

Error_log ()
Function Description: Sends the error message to the specified location (file).
Security Note: In some versions of PHP, you can use Error_log () to bypass PHP safe mode,
Executes arbitrary commands.
Hazard Rating: Low

Ini_alter ()
Function Description: is an alias function of the Ini_set () function, the function is the same as Ini_set ().
See Ini_set () for details.
Hazard Rating: High

Ini_set ()
Function Description: Can be used to modify and set the PHP environment configuration parameters.
Hazard Rating: High

Ini_restore ()
Function Description: Can be used to restore the PHP environment configuration parameters to its initial value.
Hazard Rating: High

DL ()
Function Description: Loads a PHP external module while PHP is running (not at startup).
Hazard Rating: High

Pfsockopen ()
Feature Description: Establish a socket persistent connection to an Internet or UNIX domain.
Hazard Rating: High

Syslog ()
Function Description: A system-level syslog () function that can invoke a UNIX system.
Hazard Rating: Medium

Readlink ()
Function Description: Returns the content of the destination file to which the symbolic connection is directed.
Hazard Rating: Medium

Symlink ()
Function Description: Establish a symbolic link in the UNIX system.
Hazard Rating: High

Popen ()
Function Description: You can pass a command through the parameters of the Popen () and execute the file opened by Popen ().
Hazard Rating: High

Stream_socket_server ()
Function Description: Establish an Internet or UNIX server connection.
Hazard Rating: Medium

Putenv ()
Function Description: Used to change the system character set environment while PHP is running. In PHP below 5.2.6, you can use this function
After modifying the system character set environment, use the SendMail directive to send special parameters to execute the System SHELL command.
Hazard Rating: High

The Disable method is as follows:
Opens the/etc/php.ini file,
To find the disable_functions, add the function name that you want to disable, as follows:
Phpinfo,eval,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter, Ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket, Fsockopen

Some PHP dangerous functions that need to be disabled (disable_functions)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.