Board index   FAQ   Search  
Register  Login
Board index System Administration Server security

php.ini - disable_functions not working

Discussions about server security -- questions and answeres

Moderators: macek, egami, gesf

php.ini - disable_functions not working

Postby kiwiplayer » Fri Sep 21, 2012 3:59 am

Hello there,

I've been looking at disabling certain php functions for security reasons, and it turned into a mammoth task identifying which ones to deactivate, so ...

As an exercise, I decided to try deactivating every single function (about 5000 of them *gulp!*), then access my site and see what errors I'd get ... the idea being that I would then 'punch holes' in my disabled list to allow only those functions that my site actually uses.

So having generated a complete list of all 5000-odd functions, and applying it to my php.ini, then confirming that they were listed as disabled in phpinfo, I was surprised to find that my site continued working just fine ... even though functions like mysql_connect and mysql_query were being called.

Furthermore - being a function in it's own right - I would've expected that phpinfo itself would've been blocked, but I was able to access it via the web just fine.

I ran this test on my single-user development machine, so I know my php.ini isn't being over-ridden somehow, nor have I accidentally got more than one 'disable_functions' definition in my ini file causing my list to be ignored ... and in any case the disabled list is correctly displayed in phpinfo.

So now I wonder whether this 'disable_functions' ini setting even works at all, it doesn't look like it based on my tests!

Any thoughts or insights would be much appreciated ...

Thanks!
kiwiplayer
New php-forum User
New php-forum User
 
Posts: 2
Joined: Fri Sep 21, 2012 3:45 am

Re: php.ini - disable_functions not working

Postby kiwiplayer » Fri Sep 21, 2012 5:16 am

Just to answer my own question - I've got this working now ... turns out the list of disabled functions must be a continuous comma-delimited string, whereas I had a comma-delimited list with each function on a separate line. Now I'm getting lots of errors, as expected!

Whilst I prefer this approach to security - meaning "have everything switched off unless expressly permitted" - I'm not sure it's practical, as the processing overhead might be substantial.

Any thoughts ?
kiwiplayer
New php-forum User
New php-forum User
 
Posts: 2
Joined: Fri Sep 21, 2012 3:45 am


Return to Server security

Who is online

Users browsing this forum: No registered users and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron