Jump to content

Dangerous PHP functions/code

dsaba

By dsaba
in PHP Coding Help

 Share

Recommended Posts

dsaba Advanced Member

dsaba

Posted
Posted

I've made a nice script to allow me to run/test php code on a remote server. I'm thinking about making it a public tool.

 

What are some dangerous functions/code snippets I should filter so someone cannot attack my site/server?

I've already thought about these:

include

eval

require

 

Link to comment
Share on other sites
dsaba Advanced Member

dsaba

Posted
  • Author
Posted

You're*

 

I thought about it, I made this thread to see of any of the people here in the community could help me brainstorm a list of functions/code to filter out, not to give me their opinion on whether they think this is a good idea period. Because I'm sure the general opinion is that it's not. I know this. Why would I make a thread to hear this opinion re-iterated? I wouldn't. I didn't.

 

Anyone else have anything else to add other than filesystem functions, one time I saw a similar thread on someone posting a php tester they made, and a couple people made some snide remarks about code that could potentially be dangerous if tested on this online tester. Any code like this I'm interested in seeing.

Link to comment
Share on other sites
Fyorl Member

Fyorl

Posted
Posted

Depending on how much code you allow people to post and what environment you're running it in there could potentially be a lot of room for malicious attacks. I'd say the curl functions could also be abused quite easily. Letting people use mail() would be bad too. Those are just some off the top of my head, if I think of some more I'll post them.

Link to comment
Share on other sites
GingerRobot Regular Member

GingerRobot

Posted
Posted

You're*

 

I thought about it, I made this thread to see of any of the people here in the community could help me brainstorm a list of functions/code to filter out, not to give me their opinion on whether they think this is a good idea period. Because I'm sure the general opinion is that it's not. I know this. Why would I make a thread to hear this opinion re-iterated? I wouldn't. I didn't.

 

Anyone else have anything else to add other than filesystem functions, one time I saw a similar thread on someone posting a php tester they made, and a couple people made some snide remarks about code that could potentially be dangerous if tested on this online tester. Any code like this I'm interested in seeing.

 

Stunning attitute there. Last time i checked this was a forum, which, as far as im aware, involves the sharing of opinions. Since you didn't bother to state in the topic that you understood that the general opinion would be that it was a bad idea, how can you possibly expect people to know that? Correcting the minor gramatical mistake just adds to the rudeness of the reply.

Link to comment
Share on other sites
awpti Member

awpti

Posted
Posted

Except for the fact he wasn't looking for opinions.

 

Reading comprehension for the win.

 

In any case, no function is inherently dangerous unless used poorly/with no validation of incoming content.

 

The reverse of that first part of the statement is also true. It depends on how astute you are as a developer.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.