Is it possible to disable functions in php? I want to disable the ones that are used with php shell programs, but I'm not sure which main functions these use. I'm guessing you can disable these in php.ini?

Thanks,
Dan

In the php.ini

; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_functions =

Hi,

could someone give a list of some functions that MUST be disabled?

I disable the following:

dl,exec,passthru,proc_open,proc_close,shell_exec,system

I just enable safe_mode as then it stops those functions (and then you can leave them open for your own site!)

I also add mysql_list_dbs() if it's a shared server.

Yup. Safe mode does pretty much the same thing. But this give a finer tune control if you want it. And you can also leave them open if you want to via .htaccess or httpd.conf

I wouldn't recommand enabling safe_mode on paid hosting :)

Most hosts do!

There is no reason why any average (i.e. one that doesn't try to execute shell functions) php script cannot work perfectly fine with safe mode on. I've NEVER needed to force a client to have safe mode off to get a script working.

I keep safe_mode turned off, but I disable safe_mode_gid
this let's php's shell functions only work for people that have ssh enabled on their account (only people we trust with it)