PHP: How To Disable Dangerous Functions

Question

Hello All,

How can I disable the dangerous eval function? Can that be done using ini_set function?

Also how to disable following functions? Can we disable them using ini_set function?

allow_url_fopen  
allow_url_include
exec
shell_exec
system
passthru
popen
stream_select

eval is one of the most dangerous function that bad guys can use to exploit the things. There should be a mechanism to disable that without resorting to php.ini file; but is should be done programatically.

Well, guys I am looking for an answers suggesting disabling of these dangerous lovely fellows without going to php.ini file; I mean how to disable them at runtime or programatically?

Thanks in advance....

Update

Has anyone heard about PHP Shell Offender Script? It mainly used the eval function for the exploit. Hackers are able to run their PHP code on your site.

My question was that I don't want to disable the eval function from php.ini file altogether. For example, i have developed my own MVC framework. Now the framework users can specify from frameworks config file whether eval (and others) function should be disabled or not. So this is left to the choice of framework users. Once they specify to disable it; i should be able to disable the eval function programatically.

So that is the scenario. Looking for helpful answers/solutions.

Thanks Again.

Answer 1

To disable functions, mainly for security reasons, you can use the disable_functions directive in your php.ini configuration file.

But, as the documentation states :

This directive must be set in php.ini For example, you cannot set this in httpd.conf.

I suppose this is too "internal" to be configurable anywhere else than in PHP... And as it's security related, it's up to the system administrator to configure it.

Still, the best security measure is to write clean/secure code, filter all input, escape all output... And not let anyone run their own code on your server !

Answer 2

A large percentage of insecure Web apps infesting the Web today are PHP apps. Your question indicates that you are trying to patch security into a system in ways that are unlikely to be effective. My suggestion would be to either de-install PHP or get and apply an in-depth education in related security concepts before putting your application online.

Answer 3

I'm mystified why this would be an issue. Surely you don't allow anyone to load php code onto your server and run it. Or do you?

Answer 4

The disable_functions directive is only available in the php.ini [reference http://us3.php.net/manual/en/ini.list.php]

To disable functions at runtime wouldn't make much sense, since you would be able to modify the disabled function list at runtime to re-enable functions as well.

Answer 5

In short: you can't do that.

But I think you don't really understand how eval and those functions are exploited. The problem occurs when programmers do not sanitize properly the ARGUMENTS that are passed to them.

The php shell offender script that you mentioned is just a simple PHP script passing arguments to those functions. But the attackers already had a way of injecting/uploading the malicious script. If you are not using these functions at all nor passing arguments from user input, attackers can't run arbitrarily code on your server using eval() or relatives.

Are you going to be hosting this framework for your users? If you are allowing users to upload and run code then you have a bigger problem in your hands.

Read about remote code execution and remote/local file inclusion here to learn more about attacks related to this: Common PHP vulnerabilities