Disabled PHP Functions
We have disabled server-wide PHP features to improve safety on our shared hosting servers:
– exec
– passthru
– shell_exec
– system
– proc_open
– popen
– curl_exec
– curl_multi_exec
– parse_ini_file
– show_source
Please create a php.ini file in your public_html directory if you want to use the above PHP features on your website and add below line:
“disable_functions =” (without double quotes)
You can generate a blank text file with the name of “php.ini” in your public html if you do not understand how to generate php.ini (php custom file setup). This settings file will override your website’s present PHP settings.
This enables the default in a single domain setting.
Why are PHP Functions dangerous?
Seriously, almost any PHP function can be dangerous given the right context. The function- strlen
and like are probably safe, but any function that talks to the outside world can bring surprises if the rest of the code is not safe. You can check the list of dangerous PHP functions here: http://php.net/manual .
- If you want to secure the site, the security should be throughout the code. If you just disable some function here and there is not going to work. However, it is only going to blind you and lead to sloppy coding.
- There are capabilities in PHP that can assist you in writing more secure code. However, they won’t make secure code from insecure ones. Look for open_basedir and allow_url_fopen as an example.
- Besides that, you can use
disable_functions
to prohibit some actions that you consider dangerous. However, only certain classes of actions can be inhibited this way. For example, you can disable and this probably will prevent running external programs from your code. Nonetheless, most of the things done by these programs can be done by PHP means too. - Moreover, trying to avoid things like “writing a file” probably won’t work. You should do it via OS permissions instead, not via PHP. So, define what exactly do you want to prohibit first. Then, see if it’s possible – while keeping in mind it may be impossible.
- Unfortunately, security is not done by just setting
security=On
inphp.ini
. Therefore, you can read the security chapter in the PHP manual and some PHP security books.