This article will talk about PHP security, introduce some dangerous built-in functions, and how to disable functions. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.
The disable_functions option in the PHP configuration file can disable functions in PHP. There are many extremely dangerous functions in PHP built-in functions. You must pay attention to their use in the production environment. . Improper settings may seriously cause system crash.
Built-in functions are a double-edged sword. They can not only help developers solve problems, but also cause hidden dangers to security. Therefore, the reasonable use of built-in functions is an important issue. Let’s take a look at it together. Check out dangerous built-in functions.
chgrp
Function: Change the user group to which a file or directory belongs;
Harmfulness: High
chown
Function: Change the owner of a file or directory;
Harmfulness: High
chroot
Function: Change the working root directory of the current PHP process. PHP can only work when the system supports CLI mode, and this function is not applicable to Windows systems;
Hazardousness: High
dl
Function: Load a PHP external module during PHP running (not at startup);
Hazardousness: High
exec
Function: Allows the execution of an external program, such as unix shell or cmd command, etc.;
Harmfulness: High
ini_alter
Function: It is an alias function of ini_set() function, the function is the same as ini_set();
Harmfulness: High
ini_restore
Function: Can be used to restore the PHP environment configuration function to its initial value;
Harmfulness: High
ini_set
Function : Can be used to modify and set PHP environment configuration parameters;
Harmfulness: High
passthru
Function: Allow the execution of an external program and display Output, similar to exec();
Harmfulness: High
pfsockopen
Function: Establish a persistent socket connection in the Internet or Unix domain ;
Harmfulness: High
phpinfo
Function: Output PHP environment information and related modules, Web environment information;
Hazard: High
popen
Function function: You can pass a command through the parameters of popen() and execute the file opened by popen().
Hazard: High
proc_get_status
Function: Get the process information opened using proc_open();
Hazard : High
proc_open
Execute a command and open the file pointer for reading and writing;
Hazardous: High
putenv
Users change the system character set environment when PHP is running. In PHP versions lower than 5.2.6, you can use this function to modify the system character set environment and use the sendmail command. Send special parameters to execute system shell commands;
Harmfulness: High
readlink
Function function: Return the contents of the target file executed by the symbolic link;
Hazard: Medium
scandir
Function: List the files and directories in the specified path;
Hazard: Medium
shell_exec
Function function: execute the command through the shell and return the execution result as a string;
Hazardousness: High
stream_socket_server
Function: Establish an Internet or unix server connection;
Hazard: Medium
symlink
Function: Establish a symbolic link named link to an existing target;
Harmfulness: High
syslog
Function: The system layer syslog() function of the unix system can be called;
Harmfulness: Medium
system
Function: Allowed Execute an external program and echo the output, similar to passthru();
Harmfulness: High
Recommended learning: "PHP Video Tutorial"
The above is the detailed content of A brief discussion on dangerous functions that need to be disabled in PHP. For more information, please follow other related articles on the PHP Chinese website!