User Tools

Site Tools


php:disabling_dangerous_php_functions

PHP - Disabling Dangerous PHP Functions

Here's a complete list of such functions which are needed to be stopped from being executed within any website on your web hosting server:

apache_child_terminate, 
apache_setenv, 
define_syslog_variables, 
escapeshellarg, 
escapeshellcmd, 
eval, 
exec, 
fp, 
fput, 
ftp_connect, 
ftp_exec, 
ftp_get, 
ftp_login, 
ftp_nb_fput, 
ftp_put, 
ftp_raw, 
ftp_rawlist, 
highlight_file, 
ini_alter, 
ini_get_all, 
ini_restore, 
inject_code, 
mysql_pconnect, 
openlog, 
passthru, 
php_uname, 
phpAds_remoteInfo, 
phpAds_XmlRpc, 
phpAds_xmlrpcDecode, 
phpAds_xmlrpcEncode, 
popen, 
posix_getpwuid, 
posix_kill, 
posix_mkfifo, 
posix_setpgid, 
posix_setsid, 
posix_setuid, 
posix_setuid, 
posix_uname, 
proc_close, 
proc_get_status, 
proc_nice, 
proc_open, 
proc_terminate, 
shell_exec, 
syslog, 
system, 
xmlrpc_entity_decode

Locate your php.ini and then edit:

php -i | grep php.ini

Returns something like

Configuration File (php.ini) Path => /etc/php/7.0/cli
Loaded Configuration File => /etc/php/7.0/cli/php.ini

Now edit the file using your favourite editor :

vi /etc/php/7.0/cli/php.ini

Search for the following text within that configuration file & modify disable_functions = ““ to

/etc/php/7.0/cli/php.ini
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

After modifying the PHP configuration, the Apache web server needs to be restarted.. for the above done changes to take effect.

If you find any problems with your web-applications after disabling these above mentioned functions, it's recommended to recheck your code & find an alternative solution, rather than risking the complete server for a mere application..

Note that the above mentioned solution is applicable for both type of servers, Linux web hosting server & for Windows web hosting servers as well.. The PHP configuration on Windows is generally found in the C:\Windows folder.. Make sure you restart IIS web server PHP config modifications on windows servers too..

php/disabling_dangerous_php_functions.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki