Results 1 to 3 of 3
  1. #1
    Join Date
    Apr 2003

    Can share your disable_functions?


    If you work/own a hosting company, would you share your PHP disable_function to all of us here?

    That might help a lot of people here! Build up the security and prevent hackers!

    If disagree to me, then......ignore me

  2. #2
    Join Date
    Mar 2006
    I do not work/own a hosting company, but from a php security viewpoint, i would say this:

    in php.ini
    register_globals off
    allow_url_fopen off

    register globals on makes php automatically convert $_GET or $_POST variables to global variables. Say that you call admin.php?loggedin=1&isadmin=1 and have register globals on, the varibales $_GET['loggedin'] and $_GET['isadmin'] would automatically be converted into $loggedin and $isadmin, both with the value of 1. This is often seen as a major source of php security holes. allow_url_fopen allows you to open offsite files with php, and is often seen as a security hazard as well, it's a bit harder to explain tho...

    log_errors On
    display_errors Off
    (if you don't have an error_log value, set it to something like /var/log/php_log etc)
    error_reporting = E_ALL & ~E_NOTICE | E_STRICT

    Here we set errors to be logged, and not displayed to the client. Often a hacker will need the full path to a script, or the mysql error when doing mysql injections, and a normal way to get these is to make the script generate en error which will then contain the information needed... The reported errors are all, except for notices and stricts, since a lot of php coders don't care about whether or not they make these kind of errors, most of the time the script will work anyway. If you wish to log notices and stricts as well, your log file will be filled up very quickly. Note that strict should not be included in php versions under 5.0

    disable_functions = proc_open , popen, disk_free_space, diskfreespace, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru
    This is most of the system level commands which can really do some damage to your system if your permissions aren't right.

    It's generally a good idea to set Open_basedir values to the different virtual hosts as well (can be done in apache conf with the <VirtualHost> or <Directory> blocks). Hope that answers your question good enough
    || Semi-professional PHP developer || Exams right now, don't I just feel lucky? ||

  3. #3
    Join Date
    Apr 2005
    allow_url_fopen = On
    allow_url_include = Off
    disable_classes = pBot
    Zach E. -
    Shared Web Hosting, Reseller Hosting, Cloud VPS & Dedicated Servers
    UK: 0800 138 3235 ❘ USA: 1-800-995-8256

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts