<![CDATA[向东博客 专注WEB应用 构架之美 --- 构架之美,在于尽态极妍 | 应用之美,在于药到病除]]> http://jackxiang.com/index.php zh-cn http://jackxiang.com/post// <![CDATA[PHP.INI settings: Disable exec, shell_exec, system, popen and Other Functions To Improve Security,禁用php某些函数]]> jack <xdy108@126.com> Thu, 31 Dec 2009 13:06:12 +0000 http://jackxiang.com/post// echo exec('whoami');  //这个函数较危险,一般禁用,在php.ini里可打开。
date测试的时候容易出现如下情况,data-s 查询了下,可以实现如下,
date -s "2010-1-1 16:11:21"

但是其他同事也用到date("Y-m-d H:i:s"),就会说:我在调试c程序,是谁修改了服务器时间?我说:我在测试。
于是就有人说没有必要通过date -s来修改整个服务器的时间,而是重写php的该date函数,但是我一旦重写,会提示错误的。
于是又有人说可以关闭掉,date()函数,于是查了下国外的,如下:

Q. I run a small Apache based webserver for my personal use and it is shared with friends and family. However, most script kiddie try to exploit php application such as wordpress using exec() , passthru() , shell_exec() , system() etc functions. How do I disable these functions to improve my php script security?

A. PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive. This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in php.ini For example, you cannot set this in httpd.conf.


Open php.ini file:
# vi /etc/php.ini
Find disable_functions and set new list as follows:
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source !

Save and close the file. Restart httpd:
# service httpd restart



Warning: date() has been disabled for security reasons in  /*/*/datetest.php on line 5



<?php
function date($str)
{

return "2009-12-11 21:09:35";
}
echo date("Y-m-d H:i:s");

?>

出现:
[/usr/local/tads/htdocs/qdkj/src/view]# php datetest.php

Fatal error: Cannot redeclare date() in /data/*/*/src/view/datetest.php on line 6
I think:
PHP already has a date() function and you cannot overwrite existing functions in this language. Rename your function and it will work. Or wrap it in a class and it will work as well.


于是,我在想啊,现在如果有人在用php的date,我给大家把这个date函数给disable了,大家回不会来找我呢?拭目以待。。。

EOF ]]> http://jackxiang.com/post//#blogcomment <![CDATA[[评论] PHP.INI settings: Disable exec, shell_exec, system, popen and Other Functions To Improve Security,禁用php某些函数]]> <user@domain.com> Thu, 01 Jan 1970 00:00:00 +0000 http://jackxiang.com/post//#blogcomment