PHP:如何禁用危险功能 [英] PHP: How To Disable Dangerous Functions

问题描述

如何禁用危险的 eval 功能?可以使用 ini_set 函数吗?

How can I disable the dangerous eval function? Can that be done using ini_set function?

还如何禁用以下功能?我们可以使用 ini_set 函数禁用它们吗?

Also how to disable following functions? Can we disable them using ini_set function?

allow_url_fopen  
allow_url_include
exec
shell_exec
system
passthru
popen
stream_select

评估是坏家伙可以利用的最危险功能之一.应该有一种机制可以在不使用 php.ini 文件的情况下将其禁用；但应以编程方式完成.

eval is one of the most dangerous function that bad guys can use to exploit the things. There should be a mechanism to disable that without resorting to php.ini file; but is should be done programatically.

好吧，伙计们，我正在寻找一个答案，建议他们禁用这些危险的可爱家伙，而无需进入 php.ini 文件；我的意思是如何在运行时或以编程方式禁用它们?

Well, guys I am looking for an answers suggesting disabling of these dangerous lovely fellows without going to php.ini file; I mean how to disable them at runtime or programatically?

提前谢谢....

更新

有人听说过PHP Shell Offender Script吗?它主要使用eval函数进行攻击.黑客能够在您的网站上运行其PHP代码.

Has anyone heard about PHP Shell Offender Script? It mainly used the eval function for the exploit. Hackers are able to run their PHP code on your site.

我的问题是我不想完全禁用php.ini文件中的eval函数.例如，我已经开发了自己的MVC框架.现在，框架用户可以从框架配置文件中指定是否应禁用eval(和其他)功能.因此，这留给框架用户选择.一旦他们指定要禁用它；我应该能够以编程方式禁用评估功能.

My question was that I don't want to disable the eval function from php.ini file altogether. For example, i have developed my own MVC framework. Now the framework users can specify from frameworks config file whether eval (and others) function should be disabled or not. So this is left to the choice of framework users. Once they specify to disable it; i should be able to disable the eval function programatically.

这就是场景.寻找有用的答案/解决方案.

So that is the scenario. Looking for helpful answers/solutions.

再次感谢.

推荐答案

要禁用功能(主要出于安全原因)，可以使用

To disable functions, mainly for security reasons, you can use the disable_functions directive in your php.ini configuration file.

但是，如文档所述:

此指令必须在php.ini中设置 例如，您不能在 httpd.conf.

This directive must be set in php.ini For example, you cannot set this in httpd.conf.

我想这太内部"了，无法在PHP之外的其他任何地方进行配置...而且与安全性有关，这取决于系统管理员对其进行配置.

I suppose this is too "internal" to be configurable anywhere else than in PHP... And as it's security related, it's up to the system administrator to configure it.

尽管如此，最好的安全措施是编写干净/安全的代码，过滤所有输入，转义所有输出...并且不要让任何人在您的服务器上运行自己的代码！

Still, the best security measure is to write clean/secure code, filter all input, escape all output... And not let anyone run their own code on your server !

这篇关于PHP:如何禁用危险功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！