Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    Nov 2009
    Location
    Hamilton, New Zealand
    Posts
    126
    Thanks
    0
    Thanked 17 Times in 17 Posts

    disable_functions directive

    I'm currently working with a team to develop a CMS which allows the user to add some PHP functions to their page. We're are getting to the point where we are going to work on that function of the CMS, and I was just wondering what functions would you disable? I've got the basics, but what other ways do people know where security can be put at risk by allowing users to write (and execute) PHP scripts?

    I've got the basic list here (For those who don't know, this is to be used in the php.ini file):
    Code:
    disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
    My team haven't begun discussion about this matter yet, but I was just curious about it.
    Affordable Web Design (New Zealand Based)
    Internet Marketing Guru
    PHP/mySQL Expert
    -------------------------------------------

  • #2
    Senior Coder angst's Avatar
    Join Date
    Apr 2004
    Location
    Toronto, Ontario
    Posts
    2,114
    Thanks
    15
    Thanked 122 Times in 122 Posts
    pcntl_exec() is the only one that I don't see in your list that could be used to execute system commands. but you may also want to remove rmdir(), unlink(), and such.

  • #3
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    I wouldn't disable anything. Its not the responsibility of software developers to disable directives and functions, its our job to work around anything thats limiting us. If you need to use commonly disabled functions, make note of this in you're documentation, otherwise you shouldn't really care if they are enabled or disabled since it doesn't affect you're software.
    Many people do not have the ability to alter their ini files, and disable_functions must be altered from the ini file.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •