Dangerous PHP functions/code

[dsaba]

I've made a nice script to allow me to run/test php code on a remote server. I'm thinking about making it a public tool.

 

What are some dangerous functions/code snippets I should filter so someone cannot attack my site/server?

I've already thought about these:

include

eval

require

 

[trq]

Your living on the edge. Any of the filesystems functions for starters, but Id'e think pretty seriously about this before going public.

[dsaba]

You're*

 

I thought about it, I made this thread to see of any of the people here in the community could help me brainstorm a list of functions/code to filter out, not to give me their opinion on whether they think this is a good idea period. Because I'm sure the general opinion is that it's not. I know this. Why would I make a thread to hear this opinion re-iterated? I wouldn't. I didn't.

 

Anyone else have anything else to add other than filesystem functions, one time I saw a similar thread on someone posting a php tester they made, and a couple people made some snide remarks about code that could potentially be dangerous if tested on this online tester. Any code like this I'm interested in seeing.

[Fyorl]

Depending on how much code you allow people to post and what environment you're running it in there could potentially be a lot of room for malicious attacks. I'd say the curl functions could also be abused quite easily. Letting people use mail() would be bad too. Those are just some off the top of my head, if I think of some more I'll post them.

[GingerRobot]

You're*

 

I thought about it, I made this thread to see of any of the people here in the community could help me brainstorm a list of functions/code to filter out, not to give me their opinion on whether they think this is a good idea period. Because I'm sure the general opinion is that it's not. I know this. Why would I make a thread to hear this opinion re-iterated? I wouldn't. I didn't.

 

Anyone else have anything else to add other than filesystem functions, one time I saw a similar thread on someone posting a php tester they made, and a couple people made some snide remarks about code that could potentially be dangerous if tested on this online tester. Any code like this I'm interested in seeing.

 

Stunning attitute there. Last time i checked this was a forum, which, as far as im aware, involves the sharing of opinions. Since you didn't bother to state in the topic that you understood that the general opinion would be that it was a bad idea, how can you possibly expect people to know that? Correcting the minor gramatical mistake just adds to the rudeness of the reply.

[awpti]

Except for the fact he wasn't looking for opinions.

 

Reading comprehension for the win.

 

In any case, no function is inherently dangerous unless used poorly/with no validation of incoming content.

 

The reverse of that first part of the statement is also true. It depends on how astute you are as a developer.

[Barand]

Except for the fact he wasn't looking for opinions.

 

you've just given one.

[GingerRobot]

Hmm, i was under the impression that, since none of us are god, asking a question is in fact the same as asking an opinion.

[KrisNz]

This is dangerous

exec($_POST['user_command']);

[Fyorl]

Ooh it  is indeed. You'll probably want to block passthru() and system() too then.