Securing PHP : Disabling Dangerous PHP Functions

PHP is a very popular language nowadays. But at the same time, it’s also one of the main sources for user accounts and servers getting compromised. Every PHP developer and hoster should understand the primary attack vectors being used by attackers against PHP applications. They also should be able to classify PHP functions that allowed to be used and disable cirtain functions that can be categorized as dangerous.

Based on my experience and a big help from Google, I can categorize the following functions as dangerous :-

Now you need to verify your php.ini location

And look for Configuration File (php.ini) Path


Now, edit the configuration file with root permission

sudo nano /etc/php5/apache2/php.ini

Look for the disable_functions = “” and modify it to

disable_functions = "shell_exec, eval, exec, system, proc_get_status, inject_code, proc_nice, proc_open, proc_terminate, apache_child_terminate, apache_setenv, fp, fput, ftp_connect, tp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, popen, escapeshellcmd, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, osix_setuid, posix_setuid, posix_uname, syslog, xmlrpc_entity_decode, proc_close, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, passthru, phpAds_xmlrpcDecode, hpAds_xmlrpcEncode, mysql_pconnect, escapeshellarg, highlight_file, define_syslog_variables, ini_restore,ini_alter, ini_get_all, openlog"

Make sure you save before exit.

Now restart Apache for the changes to take effect.

The default PHP configuration is intended for development purposes. Therefore, it is always advisable to reconfigure PHP before going into production phase. Some security settings are also recommended during the development phase to prevent programmers from producing vulnerable code, and make them stick to secure techniques.

Until next episode..


Leave a Reply