A brief discussion on dangerous functions that need to be disabled in PHP

This article will talk about PHP security, introduce some dangerous built-in functions, and how to disable functions. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.

The disable_functions option in the PHP configuration file can disable functions in PHP. There are many extremely dangerous functions in PHP built-in functions. You must pay attention to their use in the production environment. . Improper settings may seriously cause system crash.

Built-in functions are a double-edged sword. They can not only help developers solve problems, but also cause hidden dangers to security. Therefore, the reasonable use of built-in functions is an important issue. Let’s take a look at it together. Check out dangerous built-in functions.

chgrp

Function: Change the user group to which a file or directory belongs;

Harmfulness: High

chown

Function: Change the owner of a file or directory;

Harmfulness: High

chroot

Function: Change the working root directory of the current PHP process. PHP can only work when the system supports CLI mode, and this function is not applicable to Windows systems;

Hazardousness: High

dl

Function: Load a PHP external module during PHP running (not at startup);

Hazardousness: High

exec

Function: Allows the execution of an external program, such as unix shell or cmd command, etc.;

Harmfulness: High

ini_alter

Function: It is an alias function of ini_set() function, the function is the same as ini_set();

Harmfulness: High

ini_restore

Function: Can be used to restore the PHP environment configuration function to its initial value;

Harmfulness: High

ini_set

Function : Can be used to modify and set PHP environment configuration parameters;

Harmfulness: High

passthru

Function: Allow the execution of an external program and display Output, similar to exec();

Harmfulness: High

pfsockopen

Function: Establish a persistent socket connection in the Internet or Unix domain ;

Harmfulness: High

phpinfo

Function: Output PHP environment information and related modules, Web environment information;

Hazard: High

popen

Function function: You can pass a command through the parameters of popen() and execute the file opened by popen().

Hazard: High

proc_get_status

Function: Get the process information opened using proc_open();

Hazard : High

proc_open

Execute a command and open the file pointer for reading and writing;

Hazardous: High

putenv

Users change the system character set environment when PHP is running. In PHP versions lower than 5.2.6, you can use this function to modify the system character set environment and use the sendmail command. Send special parameters to execute system shell commands;

Harmfulness: High

readlink

Function function: Return the contents of the target file executed by the symbolic link;

Hazard: Medium

scandir

Function: List the files and directories in the specified path;

Hazard: Medium

shell_exec

Function function: execute the command through the shell and return the execution result as a string;

Hazardousness: High

stream_socket_server

Function: Establish an Internet or unix server connection;

Hazard: Medium

symlink

Function: Establish a symbolic link named link to an existing target;

Harmfulness: High

syslog

Function: The system layer syslog() function of the unix system can be called;

Harmfulness: Medium

system

Function: Allowed Execute an external program and echo the output, similar to passthru();

Harmfulness: High

Recommended learning: "PHP Video Tutorial"

The above is the detailed content of A brief discussion on dangerous functions that need to be disabled in PHP. For more information, please follow other related articles on the PHP Chinese website!