jump to navigation

Disable Dangerous Functions in PHP November 30, 2012

Posted by Tournas Dimitrios in PHP.

PHP is often characterized as an “easy to learn programming language  and is used as a footstep into web programming . Most of this misunderstanding is due to authors that write tutorials about PHP and often concentrate only on how to present an achievement ( a specific  programs task in PHP ) , while forgetting to mention that their script wasn’t meant for production . Beginners then go on to use these “easy” scripts on production servers and find themselves subject to many forms of attacks . The following chart is just  a representation of the most common PHP-vulnerabilities (listed by type)  .


As shown on the chart , the champion is the “Execute Code” vulnerability . The number represents the reported different ways this vulnerability was used to attack a PHP-application .

PHP  has build-in functionality to execute underlying shell commands on the system itself  (were PHP is installed on) . It provides a number of functions for executing external commands , among them shell_execexecpassthru , the backtricks (` `)  and system . It’s important to note that pretty much whatever you can do on the UNIX command line or in a shell script is allowed here . For example , you can use pipes to string together commands . Each of these commands spawns a child process to run the command or script you designate , and each captures the output of your command as it’s written to standard output (stdout) .

Many common attacks on PHP applications involve attackers uploading so-called “Web Shells”, which are scripts that give the attacker access to system functions for the purpose of taking over the web server . These Shells typically use the dangerous PHP functions for access to system commands . Disabling dangerous PHP functions makes using Web Shells more difficult , thus adding an extra layer of protection  .

How to disable these dangerous commands :

Very simple , open PHP’s ini-file and append the following command (don’t forget to restart Appache so that these configuration changes can be activated) :

disable_functions = shell_exec , show_shource , system , exec,  popen, proc_open , parse_ini_file,  passthru ,  symlink

Most likely , a shared host will have disabled shell access . This article only applies to PHP-code hosted on Cloud servers (like Amazon’s EC2) , VPS or on dedicated-servers  .

Final thoughts : 

I remember the words of my professor “great power must be accompanied with equal responsibilities” . My golden rule is to find alternative ways to accomplish a specific task that was meant to be run through the command shell . For instance , PHP has a “bunch” of build-in file-system function that can be used instead of shell-commands . Another example , I have seen in the past fellow coders using shell commands  to “ping” a remote server (echo exec(“ping “.$ip);) , with a little bit of code the same functionality can be done with PHP’s build-in functionality (fsockopen function) .  Which commands should you use and when ? This is entirely up to you and the needs you have . If you’re accepting user input and passing that information along to the shell , you better sanitize that user input . Strip out any commands that you think might be harmful , disallow users from sending in open requests and only allow them to choose from a list of possible alternatives . Make sure that each case of using a dangerous function is absolute necessary and is done in accordance with best practices . For code that passes arguments to shell commands, use escapeshellarg to prevent command injection vulnerabilities . Use absolute paths when executing external commands , don’t let users execute arbitrary commands . Be particularly careful with the backtick (`) operator (this operator is disabled if shell_exec is disabled) .


1. Joselyn - December 3, 2012

Hello Dimitrius:

I asking me if you could help me with an xml that I cannot load, can i send my code?, thanks in advance if you agree.

tournasdimitrios1 - December 4, 2012

Hi ,
As you might have discovered my Blog has over 700 articles , where some of those have many comments . I try to respond to all comments , on condition , these comments are in focus of the article’s subject and the reader has at least basic knowledge of web-programming (PHP , JQuery , AS3 ) . It’s my pleasure to help other developers , but I can’t make their “home work” (that would consume valuable energy , which I prefer to spend on writing new articles ) .
Kind regards .

2. Carolina - December 6, 2012

i just found this blog and have high hopes for it to continue. keep up the great work, its hard to find good ones. i have added to my favourites. thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s