Home » PHP

Category Archives: PHP

How to disable eval function in PHP

How to disable eval function in php

How to disable eval in php.ini to Protect php web application

The eval function in php is not a system component function, therefor we cannot disable it by using disable_functions in php. ini.

But eval () for php security has a great lethality, so in order to prevent similar to the following 1 sentence Trojan invasion, need to prohibit! Also, it is recommended to disable eval function in php for web application security and protect it from malware and trojan attacks. Let see the steps to disable dangerous php function such as eval.

 

<?php eval($_POST[cmd]);?>

Use example of eval ():

<?php
$string = ' Cup ';
$name = ' Coffee ';
$str = ' This  $string  Installed in  $name.<br>';
echo $str;
eval( "$str = "$str";" );
echo $str;
?>

The return value of this example is:

 This  $string  Installed in  $name.
 This   Cup   Installed in   Coffee .

Or more advanced is:

<?php
$str="hello world"; // For example, this is the result of meta-calculation 
$code= "print('n$strn');";// This is stored in the database php Code 
echo($code);// Print the combined command ,str The string has been replaced , Form 1 A complete php Command , But it will not be implemented 
eval($code);// Executed this order 
?>
For the example above, in eval, first the string is replaced, and then a complete assignment command is executed after the replacement.

This kind of pony smashing the door needs to be banned! However, many people on the Internet say that using disable_functions to prohibit eval is wrong! In fact, eval () cannot be disabled with disable_functions in php. ini, because eval() is a language construct and not a function.

eval is zend’s and is therefore not an PHP_FUNCTION function.

How does php ban eval?

If you want to disable eval, you can use Suhosin, an extension of php:
After installing Suhosin, enter Suhosin. so in php. ini, and add suhosin. executor. disable_eval = on!

To sum up, the eval function of php cannot be disabled in php, so we have to use plug-ins!

Use Suhosin to protect PHP application system (disable eval)

Suhosin is a protection program. It was originally designed to protect servers and users from known or unknown defects in the PHP program and the PHP core. Suhosin has two independent parts, which can be used separately or in combination. The first part is a patch for the PHP core, which can resist buffer overflow or format string weakness; the second part is a powerful PHP extension that includes all other protection measures.

Download Suhosin php extension

Friends who use Gentoo linux or FreeBSD can find Suhosin in ports. Friends who use OpenSuSE linux, Mandriva Linux , and Debian Linux found Suhosin in the distribution package.

http://www.hardened-php.net/suhosin/download.html

How to install Suhosin php extension

1) Download, the address has been given above

2) Unzip and patch

# tar jxvf php-5.2.10.tar.bz2

# gunzip suhosin-patch-5.2.10-0.9.7.patch.gz

# cd php-5.2.10

# patch -p 1 -i ../suhosin-patch-5.2.10-0.9.7.patch

# ./configure –your-options

# make

# make install

Install extension

# tar zxvf suhosin-0.9.31.tgz

# cd subosin-0.9.31

# phpize

# ./configure –with-php-config=/usr/local/php/bin/php-config (this path is set according to your actual situation)

# make

# make install

Then edit php.ini and add extension=suhosin.so

Features of Suhosin extension

1) Engine protection (patches only)

  1. Protect internal memory management against buffer overflow
  2. Prevent Zend hash table from being destroyed
  3. Prevent Zend link list from being destroyed
  4. Protect PHP core and its extensions against format string weaknesses
  5. Some libc realpath() errors

2) Various characteristics

  1. Simulator protection mode
  2. Add two functions sha256() and sha256_file() to the PHP core
  3. All platforms, add CRYPT_BLOWFISH to the function crypt()
  4. Turn on transparent protection of phpinfo() page
  5. SQLdatabase user protection (test phase)

3) Runtime protection

  1.  encryptioncookies
  2. Prevent different kinds of inclusion vulnerabilities (remote URL inclusion is not allowed (black/white list); uploaded files are not allowed; prevent directory traversal attacks)
  3. Allow prohibiting preg_replace()/e modification options
  4. Allow to prohibit eval() function
  5. Prevent infinite recursion by configuring a maximum execution depth
  6. Support each vhost configuration black and white list
  7. Provide a separate black and white list of functions for code execution
  8. Prevent HTTP response splitting vulnerability
  9. Prevent scripts from controlling the memory_limit option
  10. Protect PHP’s superglobals, for the function extract() import_request_vars()
  11. Prevent new line attacks of mail() function
  12. Prevent preg_replace() attacks

4) Session protection

  1. Encrypted session data
  2. Prevent session from being hijacked
  3. Prevent long session id
  4. Prevent malicious session id

5) Filter characteristics

6) Log characteristics (omitted)

Refer to http://www.hardened-php.net/suhosin/a_feature_list.html

 

Also read:

How to sort Trello Cards List by date

How to fix the 500 Internal Server Error in wordpress

Fix 500 internal server error wordpress

Internal server errors in WordPress are the worst (aka. http error 500), compared to other HTTP error codes and status codes.

The WordPress websites often encounters an error called 500 internal server error in wordpress. There are several potential causes.

Causes:

  • Exhausted PHP memory limit
  • Corrupted plugin functions
  • Corrupted theme functions
  • Corrupted .htaccess

What Is the 500 Internal Server Error?

A fairly general HTTP status code, the 500 Internal Server Error indicates that something unexpected has happened on your website’s server. If you see this error message, there’s no need to panic. The problem, whatever it may be, is with your website’s servers, not your computer.

Here’s the catch though, the server can’t tell you what the exact problem is. It only shows the response code 500.

Solutions to 500 Internal Server Error

Solution #1. Increase the memory limit

Follow the same steps to increase the memory limit as mentioned in the previous step. The steps to increase memory limit can be found at HowToFix Blog.

Solution #2. Edit .htaccess file

Edit your .htaccess file, if a corrupted .htaccess file caused this problem. Open your .htaccess file from the FTP or file manager and rename it with .htaccess old. Refresh your website and see if the problem persists. If this fixes the problem, click on settings > permalinks and hit save changes to reset .htaccess.

Solution #3. Deactivate all the plugins

If changing your .htaccess file did not have any impact on the problem, you might want to check your plugins. Deactivate all your plugins by clicking on plugins ? installed plugins. Choose “deactivate” from the “bulk action” drop down and hit apply. It will automatically deactivate all your plugins. Now go to your website, refresh it and check if the error is gone. If so, activate your plugins one by one and see which plugin has caused the problem.

Solution #4. Replace wp-admin and wp-includes folders

If nothing worked, try replacing your wp-includes and wp-admin folders with fresh copies from a WordPress install. Save them and upload. Refresh the browser and see if the problem is resolved.

Naming Variants for 500 Internal Server Errors

There are actually quite a few names or phrases that can indicate you’re dealing with a 500 internal server error. Depending on your web server or the particular problem, you could receive any of the following variants:

  • 500 Internal Server Error
  • Internal Server Error
  • Error 500
  • HTTP Error 500
  • HTTP Error 500 – Internal Server Error
  • Temporary Error (500)

Categories