Dangerous PHP Functions Must be Disabled?

justsmallsteps · Feb 9, 2017

I have read a reply on this forum and was recommended to disabled dangerous PHP Functions on my hosting control panel?

I searched and got a list of dangerous php functions:

apache_child_terminate
apache_setenv
define_syslog_variables
escapeshellarg
escapeshellcmd
eval
exec
fp
fput
ftp_connect
ftp_exec
ftp_get
ftp_login
ftp_nb_fput
ftp_put
ftp_raw
ftp_rawlist
highlight_file
ini_alter
ini_get_all
ini_restore
inject_code
mysql_pconnect
openlog
passthru
php_uname
phpAds_remoteInfo
phpAds_XmlRpc
phpAds_xmlrpcDecode
phpAds_xmlrpcEncode
popen
posix_getpwuid
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid
posix_setuid
posix_uname
proc_close
proc_get_status
proc_nice
proc_open
proc_terminate
shell_exec
syslog
system
xmlrpc_entity_decode

Should I disable all of them? How to do?

Thanks!

hostens · Feb 9, 2017

If you are not using them it should be better to disable them. Just make sure any of your hosted project do not use them.

24x7CSM · Feb 10, 2017

although they are dangerous functions , some of them will need enabled in order to work the app or the website work. so enable them as per the needs

justsmallsteps · May 13, 2018

hostens said:
If you are not using them it should be better to disable them. Just make sure any of your hosted project do not use them.

I am afraid my scripts can have small errors that I can not know when disabling these functions. So I will go your second suggestion.

24x7CSM said:
although they are dangerous functions , some of them will need enabled in order to work the app or the website work. so enable them as per the needs

I got your points hence I still am using them

WPCycle · May 14, 2018

Sorry I don't know how to quote with the new forum, but if you have logs running (access and errors) you should be able to track even small errors. Either way, that is a good list to start out with.

24x7serverman · May 15, 2018

Actually, these functions are not dangerous by design but a hacker can use it for malicious purposes.

Many web host providers have disabled these functions by default but if needed then the end user can enable it.

bountysite · Oct 30, 2019

Disabling those functions is only a layer of security. Does not mean that there are no ways to circumvent.
Having those functions will only make it easy for script kiddies. So, generally recommended to disable.

Offcourse having your site running is first priority. But in most cases, the functions mentioned should not cause any issues.
May be the errors are occurring anyway.

hostguy · May 3, 2021

Its better to disable all these PHP functions, it will add extra layer of security to your server.
After disabling then you can check your php functions in phpinfo.php file.

hostguy · May 11, 2021

justsmallsteps said:
I have read a reply on this forum and was recommended to disabled dangerous PHP Functions on my hosting control panel?

I searched and got a list of dangerous php functions:

Should I disable all of them? How to do?

Thanks!

You can disable PHP function if you have root access of your server.
I have followed this guide Disable dangerous PHP functions and its easy to disable fro WHM server.

Dangerous PHP Functions Must be Disabled?

Member

Well-known member

Well-known member

Member

Well-known member

Well-known member

Well-known member

Member

Member

Sponsors

Tag Cloud