PHP.INI settings: Disable exec, shell_exec, system, popen and Other Functions To Improve Security,禁用php某些函数
date测试的时候容易出现如下情况,data-s 查询了下,可以实现如下,
date -s "2010-1-1 16:11:21"
但是其他同事也用到date("Y-m-d H:i:s"),就会说:我在调试c程序,是谁修改了服务器时间?我说:我在测试。
于是就有人说没有必要通过date -s来修改整个服务器的时间,而是重写php的该date函数,但是我一旦重写,会提示错误的。
于是又有人说可以关闭掉,date()函数,于是查了下国外的,如下:
Q. I run a small Apache based webserver for my personal use and it is shared with friends and family. However, most script kiddie try to exploit php application such as wordpress using exec() , passthru() , shell_exec() , system() etc functions. How do I disable these functions to improve my php script security?
A. PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive. This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in php.ini For example, you cannot set this in httpd.conf.
Open php.ini file:
# vi /etc/php.ini
Find disable_functions and set new list as follows:
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source !
Save and close the file. Restart httpd:
# service httpd restart
# vi /etc/php.ini
Find disable_functions and set new list as follows:
disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source !
Save and close the file. Restart httpd:
# service httpd restart
Warning: date() has been disabled for security reasons in /*/*/datetest.php on line 5
<?php
function date($str)
{
return "2009-12-11 21:09:35";
}
echo date("Y-m-d H:i:s");
?>
function date($str)
{
return "2009-12-11 21:09:35";
}
echo date("Y-m-d H:i:s");
?>
出现:
[/usr/local/tads/htdocs/qdkj/src/view]# php datetest.php
Fatal error: Cannot redeclare date() in /data/*/*/src/view/datetest.php on line 6
I think:
PHP already has a date() function and you cannot overwrite existing functions in this language. Rename your function and it will work. Or wrap it in a class and it will work as well.
于是,我在想啊,现在如果有人在用php的date,我给大家把这个date函数给disable了,大家回不会来找我呢?拭目以待。。。
EOF
作者:jackxiang@向东博客 专注WEB应用 构架之美 --- 构架之美,在于尽态极妍 | 应用之美,在于药到病除
地址:http://jackxiang.com/post/2432/
版权所有。转载时必须以链接形式注明作者和原始出处及本声明!
最后编辑: jackxiang 编辑于2014-11-2 09:57
awk批量shell命令生成示例
[原创]在zend studio 7.1里安装aptana,强强整合!评论列表
