Why are PHP Functions dangerous?
The correct circumstances can make practically any PHP function deadly. The functions strlen and similar ones are probably secure, but if the rest of the code is not secure, any function that interacts with the outside world could surprise the user. The list of hazardous PHP functions is available here: http://php.net/manual.
- The security should be present throughout the code if you wish to protect the website. If you simply turn off a few functions here and there, nothing will happen. However, it will just make you blind and result in shoddy coding.
- You can use PHP’s features to help you create more secure code. They won’t, however, turn insecure code into secure code. Look for the examples open_basedir and allow_url_fopen.
- Additionally, you can forbid some actions that you deem unsafe using disable functions. Only some classes of actions, though, can be restricted in this manner. For instance, you might disable, which would probably stop your code from running outside applications. However, PHP also has the ability to perform the majority of the tasks carried out by these tools.
- Additionally, attempting to avoid actions like “writing a file” definitely won’t be successful. Instead of using PHP, you ought to use the OS permissions. Decide exactly what you want to forbid first. Then, while bearing in mind that it might be impossible, see if it is achievable.
- Unfortunately, security is not done by just setting
security=On
inphp.ini
. Therefore, you can read the security chapter in the PHP manual and some PHP security books.