Home » Posts tagged 'disable_functions'

Tag Archives: disable_functions

How to disable eval function in PHP

How to disable eval function in php

How to disable eval in php.ini to Protect php web application

The eval function in php is not a system component function, therefor we cannot disable it by using disable_functions in php. ini.

But eval () for php security has a great lethality, so in order to prevent similar to the following 1 sentence Trojan invasion, need to prohibit! Also, it is recommended to disable eval function in php for web application security and protect it from malware and trojan attacks. Let see the steps to disable dangerous php function such as eval.

 

<?php eval($_POST[cmd]);?>

Use example of eval ():

<?php
$string = ' Cup ';
$name = ' Coffee ';
$str = ' This  $string  Installed in  $name.<br>';
echo $str;
eval( "$str = "$str";" );
echo $str;
?>

The return value of this example is:

 This  $string  Installed in  $name.
 This   Cup   Installed in   Coffee .

Or more advanced is:

<?php
$str="hello world"; // For example, this is the result of meta-calculation 
$code= "print('n$strn');";// This is stored in the database php Code 
echo($code);// Print the combined command ,str The string has been replaced , Form 1 A complete php Command , But it will not be implemented 
eval($code);// Executed this order 
?>
For the example above, in eval, first the string is replaced, and then a complete assignment command is executed after the replacement.

This kind of pony smashing the door needs to be banned! However, many people on the Internet say that using disable_functions to prohibit eval is wrong! In fact, eval () cannot be disabled with disable_functions in php. ini, because eval() is a language construct and not a function.

eval is zend’s and is therefore not an PHP_FUNCTION function.

How does php ban eval?

If you want to disable eval, you can use Suhosin, an extension of php:
After installing Suhosin, enter Suhosin. so in php. ini, and add suhosin. executor. disable_eval = on!

To sum up, the eval function of php cannot be disabled in php, so we have to use plug-ins!

Use Suhosin to protect PHP application system (disable eval)

Suhosin is a protection program. It was originally designed to protect servers and users from known or unknown defects in the PHP program and the PHP core. Suhosin has two independent parts, which can be used separately or in combination. The first part is a patch for the PHP core, which can resist buffer overflow or format string weakness; the second part is a powerful PHP extension that includes all other protection measures.

Download Suhosin php extension

Friends who use Gentoo linux or FreeBSD can find Suhosin in ports. Friends who use OpenSuSE linux, Mandriva Linux , and Debian Linux found Suhosin in the distribution package.

http://www.hardened-php.net/suhosin/download.html

How to install Suhosin php extension

1) Download, the address has been given above

2) Unzip and patch

# tar jxvf php-5.2.10.tar.bz2

# gunzip suhosin-patch-5.2.10-0.9.7.patch.gz

# cd php-5.2.10

# patch -p 1 -i ../suhosin-patch-5.2.10-0.9.7.patch

# ./configure –your-options

# make

# make install

Install extension

# tar zxvf suhosin-0.9.31.tgz

# cd subosin-0.9.31

# phpize

# ./configure –with-php-config=/usr/local/php/bin/php-config (this path is set according to your actual situation)

# make

# make install

Then edit php.ini and add extension=suhosin.so

Features of Suhosin extension

1) Engine protection (patches only)

  1. Protect internal memory management against buffer overflow
  2. Prevent Zend hash table from being destroyed
  3. Prevent Zend link list from being destroyed
  4. Protect PHP core and its extensions against format string weaknesses
  5. Some libc realpath() errors

2) Various characteristics

  1. Simulator protection mode
  2. Add two functions sha256() and sha256_file() to the PHP core
  3. All platforms, add CRYPT_BLOWFISH to the function crypt()
  4. Turn on transparent protection of phpinfo() page
  5. SQLdatabase user protection (test phase)

3) Runtime protection

  1.  encryptioncookies
  2. Prevent different kinds of inclusion vulnerabilities (remote URL inclusion is not allowed (black/white list); uploaded files are not allowed; prevent directory traversal attacks)
  3. Allow prohibiting preg_replace()/e modification options
  4. Allow to prohibit eval() function
  5. Prevent infinite recursion by configuring a maximum execution depth
  6. Support each vhost configuration black and white list
  7. Provide a separate black and white list of functions for code execution
  8. Prevent HTTP response splitting vulnerability
  9. Prevent scripts from controlling the memory_limit option
  10. Protect PHP’s superglobals, for the function extract() import_request_vars()
  11. Prevent new line attacks of mail() function
  12. Prevent preg_replace() attacks

4) Session protection

  1. Encrypted session data
  2. Prevent session from being hijacked
  3. Prevent long session id
  4. Prevent malicious session id

5) Filter characteristics

6) Log characteristics (omitted)

Refer to http://www.hardened-php.net/suhosin/a_feature_list.html

 

Also read:

How to sort Trello Cards List by date

Categories