Security Potentially dangerous functions in PHP

  • Thread starter D•Jass
  • Start date
  • Tags


Staff member
  • #1

List of dangerous functions​

exec() - calling an external program
proc_open() - executes a command and opens a file pointer for I/O
shell_exec() - executes a command in a shell and returns the full output as a string
system() - calling an external program and displaying the result
passthru() - calling an external program and displaying "raw" results
popen() - Opens a process's file pointer
show_source() - display the source text of the current web page
disk_free_space() - Get the amount of available space in a directory
diskfreespace() - alias for disk_free_space function
disk_total_space() - returns the total disk space
eval() - evaluates the string given in the parameter as PHP code
fileperms() - get file permission information
fopen() - Opens a file or URL
opendir() - returns a handle to a directory for later use with the closedir(), readdir(), and rewinddir() functions
phpinfo() - displays all information about PHP, OS
phpversion() - Displays the php version
posix_getpwuid() - returns information about a user by their user id
posix_getgrgid() - returns information about a group by its group id
posix_uname() - Gets the system name, returns a hash of strings with system information
php_uname - returns information about the OS that php was built on
ini_get() - Gets the value of a configuration option
ini_get_all() - Gets all configuration options
parse_ini_file() - parses the configuration file (For Joomla, it's better not to disable parse_ini_file)

To disable the functions, open the php.ini file and add the parameter:
disable_functions = exec,proc_open,shell_exec,system,passthru,popen,show_source,disk_free_space,diskfreespace,disk_total_space,eval,fileperms,fopen,opendir,phpinfo,phpversion,posix_getpwuid,posix_getgrgid,posix_uname,php_uname,ini_get,ini_get_all,parse_ini_file