PHP: How To Disable Dangerous Functions
To disable functions, mainly for security reasons, you can use the disable_functions
directive in your php.ini
configuration file.
But, as the documentation states :
This directive must be set in php.ini
For example, you cannot set this in
httpd.conf.
I suppose this is too "internal" to be configurable anywhere else than in PHP... And as it's security related, it's up to the system administrator to configure it.
Still, the best security measure is to write clean/secure code, filter all input, escape all output... And not let anyone run their own code on your server !
How to deny the use of dangerous PHP functions?
Forget it. Reliable function whitelisting is not possible in php. Example:
$x = 'e' . str_replace('y', 'x', 'yec');
...lots of code...
$x('format c:');
realistic options are
- disabling functions (http://php.net/manual/en/ini.core.php#ini.disable-functions)
- sandboxing (see Recommendations for sandboxing inside PHP5 or alternatives?)
Programmatically disable specific PHP functions for testing
You can use runkit_function_remove
to remove any defined function, I think:
runkit_function_remove('curl_init');
And, as per the documentation:
Note: By default, only userspace functions may be removed, renamed, or modified. In order to override internal functions, you must enable the
runkit.internal_override
setting inphp.ini
.
How to disable eval function without going to php.ini file?
It won't work, because eval() is not a function - it's a language construct. You can disable it with suhosin, a protection system for PHP. That's the only way I know of.
From PHP.net:
Note: Because this is a language construct and not a function,
it cannot be called using variable functions
Disable php functions within htaccess
According to the PHP documentation, you can't use the disable_functions
setting anywhere other than in a php.ini
file, so I'm very surprised this is working at all.
If you need per-vhost or per-directory restrictions on functions, I would suggest using separate instances of PHP-FPM, each of which can have its own php.ini
. It also provides additional security benefits, such as complete sandboxing per daemon instance.
How do I disable a function(s) from usage in PHP?
In the php.ini
configuration file, you can use the disable_functions
parameter. For example, to disable the symlink()
and system()
functions, you would use:
disable_functions = "symlink,system"
How to disable ini_set and exec for a particular VirtualHost?
You're looking for the disable_functions entry in your php.ini.
So you want a different php.ini for your particular VirtualHost. That could be done via "PHPINIDir"
<virtualhost *:80>
ServerName www.example.com
DocumentRoot /path/to/example.com
PHPINIDir /whatever/path/to/php.ini
</virtualhost>
UPDATE: I removed the example with php_admin_value because, as others have noted in the comments, it wouldn't work with this particular setting. As was discussed here: php_admin_value disable_functions not working ( sorry ... should have looked it up beforehand).
Sharing access to use PHP for users - any tips?
Don't. There is no way to do this safely.
PHP was not designed for this application. It has no way to filter function calls at runtime.
Filtering user-generated code is unlikely to be effective either. There are a lot of subtle ways to bypass all of the obvious approaches to filtering -- for instance, a function call can be concealed by using indirect function call syntax:
$fn = "system";
$fn("evil command");
or by using commands which you may not realize are equivalent to eval
, such as assert
, create_function
, or even preg_exec
in some versions of PHP.
Why PHP function `curl_exec ` should be disabled?
It could be used to create a request loop on itself, which would lock the server. It could also be used to impersonate the site or proxy requests. If those are good enough reasons to disable curl_exex
, really depends how much you trust the code.
Related Topics
Set Precision for a Float Number in PHP
Warning: MySQLi_Query(): Couldn't Fetch MySQLi
Storing Arrays in the Database
How to Convert PHP Date Formats to Gmt and Vice Versa
Array_Key_Exists Is Not Working
How to Pass Data Between Pages in PHP
Split Keywords for Post PHP MySQL
PHP String Function to Get Substring Before the Last Occurrence of a Character
Selecting All Columns That Start with Xxx Using a Wildcard
Using Like in Bindparam for a MySQL Pdo Query
How to Destroy the Session Cookie Correctly with PHP
Retrieve the Id of an Inserted Record: PHP & Ms SQL Server
Warning: Preg_Match() [Function.Preg-Match]: Unknown Modifier '/'
PHP Check Value Against Multiple Values with Or-Operator
How to Check the Performance of MySQL Indexing
How to Connect to MySQL Database in PHP Using MySQLi Extension