Several days ago I attended a seminar and they were talking about "dangerous" PHP functions. They did not say however that should we use them. They named eval()
, preg_match()
, 开发者_开发技巧exec()
and a lot more.
Though I don't use them, or don't use them often sometimes I have to. Is it considered bad practice to use those functions? Even if I know that where I use them no user can reach it?
Edit: For the preg_match() questions, check out this: preg_match() security hole
All of those methods basically allow injected code to be run on your system if you don't protect against it. There's a chance of you shooting yourself in the foot if you do use them without knowing what the dangers are. If you're fully aware of what you're doing, and you have no alternative but to use this method, then there isn't much else you can do in any case.
This question has a pretty comprehensive list of exploitable functions in PHP
Exploitable PHP functions
Really it's a matter of taste. It's really just having enough rope to hang yourself. As long as you are 100% sure that no users can input directly into an eval
or exec
statement, you're probably okay, but it's hard to make a case that there shouldn't be a different, safer way to do what you're trying.
If your server is ever compromised, perhaps by a code injection attack from a poorly secured form or include() call then some little-used but very powerful php functions give the attacker just too much control over your entire system via exec(), so you can block these function completely in your ini file.
Quote php.ini
;This directive allows you to disable certain functions for security ;reasons.It receives a comma-delimited list of function ;names. This directive is NOT affected by whether Safe Mode is ;turned On or Off. disable_functions =
edit JohnP's link lists all the functions you should be wary of
there is no such thing as "dangerous" function. There are
- sloppy programmers who don't handle user input properly
- sloppy system administrators who don't secure their servers on the system level
Every php function can be "dangerous" if you don't take adequate security measures. This includes "echo" (XSS), "mail" (main injections), file functions (e.g. readfile(/etc/passwd) etc.
Here is the post where author is asking why eval is dangerous: http://blog.joshuaeichorn.com/archives/2005/08/01/using-eval-in-php/, please read an answears, here another interesting and short article: http://www.hardened-php.net/suhosin/a_feature_list:eval_black_and_whitelist.html
IMHO the problem is that if you use function like eval or exec you need 100% knowledge what varable are passed to them. In case that exec can "ingerate" in your operating system it can be real dengerous.
- exec-Personaly I'm using exec only for jobs that are not depend on user's input or untrusted data.
- eval-Makes the code hard to understand, hard to develope and by using it, after a time you can have a real problem to find potential problems. It's seams also hard for testing...
- preg_match-only problem that I know is here: http://blog.php-security.org/archives/76-Holes-in-most-preg_match-filters.html
Regards, Tom
Well... I don't think preg_match
is something so "dangerous". eval
and exec
on other hand are a bit bad. Especially the exec
which is even mostly forbidden on hosting servers because it adds really HUGE HUGE security risks.
精彩评论