These things are far too hard

A few months back we completed a security update on one of our main servers and whilst we were performing the update we realised that there is a distinct lack of information out there concerning the security of PHP functions, and no good lists of functions that should be banned or switched off.

When you install PHP, it doesn’t make a huge amount of recommendations about which functions you should ban on your servers. Although it basically does come out of the box in safe mode, which is great, as a web host trying to offer the best service possible, we like to offer our customers the choice of using PHP’s safe mode or not. I know that as a developer it’s a real pain to be forced to deal with things like magic quotes when you already have tight methods of blocking SQL injection, XSS attacks etc.

So, as a hosting company, we want to leave things as flexible as possible for developers, it’s critical for us to know that our customers can’t write PHP code that could lead to our server being left wide open to attack.

So, being diligent web hosts we searched high and low for a decent list of PHP functions that we ought to ban, and surprisingly couldn’t really find any decent lists.

So, for anyone wondering what functions to ban, here is our list of PHP functions you should definitely not allow your customers to use!

exec, system, passthru, readfile, shell_exec, escapeshellarg, proc_close, proc_open, ini_alter, dl, parse_ini_file, show_source, popen, pclose, pcntl_exec, proc_get_status, proc_nice, proc_terminate, pfsockopen, posix_kill, posix_mkfifo, openlog, syslog, escapeshellcmd, apache_child_terminate, apache_get_env, apache_set_env, apache_note, virtual, error_log, openlog, syslog, readlink, symlink, link, highlight_file, closelog, ftp_exec, posix_setpgid, posix_setuid, posix_setsid, posix_setegid, posix_seteuid, posix_getpwnam, posix_ctermid, posix_uname, posix_getegid, posix_geteuid, posix_getpid, posix_getppid, posix_getpwuid

I’m not going to go into details here, but if you’re in for a fright, look these functions up (especially the posix ones) on the www.php.net website, you’ll be very scared!

This list may be overkill, but keep in mind, we’re aiming this at the shared server market. If anyone has any other functions they think should be banned, please let me know.