3

Several days ago I attended a seminar and they were talking about "dangerous" PHP functions. They did not say however that should we use them. They named eval(), preg_match(), exec() and a lot more.

Though I don't use them, or don't use them often sometimes I have to. Is it considered bad practice to use those functions? Even if I know that where I use them no user can reach it?

Edit: For the preg_match() questions, check out this: preg_match() security hole

Adam Arold
  • 29,285
  • 22
  • 112
  • 207
  • Did they mention why `preg_match()` would be dangerous? The other two are obvious, since they allow you to invoke arbitrary programs on the host, but this one is not clear to me. – Kris Jun 01 '11 at 07:49
  • 2
    http://en.wikipedia.org/wiki/ReDoS – Samuel Katz Jun 01 '11 at 07:52
  • 2
    `preg_replace` might be dangerous when you use the `e` modifier, because it means to `eval()` the substitution (view [modifiers section on PCRE](http://es2.php.net/manual/en/reference.pcre.pattern.modifiers.php). This flag only applies to `preg_replace` though. Not sure if @edem meant `preg_replace` instead of `preg_match`, or if it's there some kind of danger to `preg_match` that I'm not aware of. – Carlos Campderrós Jun 01 '11 at 07:55
  • See [http://stackoverflow.com/questions/951373/when-is-eval-evil-in-php/951868#951868](http://stackoverflow.com/questions/951373/when-is-eval-evil-in-php/951868#951868) for `eval`. All in all any function able executing s/t on system level (like `exec`) could be considered evil when using unsanitized user input. I don't know why they considered `preg_match` evil, though (except e flag like Carlos already mentioned). – Jürgen Thelen Jun 01 '11 at 07:55
  • @SalmanPK great link, I didn't know that was possible – Carlos Campderrós Jun 01 '11 at 07:57
  • 2
    Bad practice would be to use them and not know what for they are used. There are no "dangerous" PHP functions, only people who use them in a wrong way and afterwards think, that this is probably "dangerous". – Eugene Jun 01 '11 at 08:00
  • Every function is potentially dangerous. The 3 line code posted in [this question](http://stackoverflow.com/questions/6196154/php-script-to-force-download-not-working) does not use any of the *dangerous* functions, yet it is highly exploitable. – Salman A Jun 01 '11 at 08:06
  • "Careful with that axe, Eugene" :) – Adam Arold Jun 01 '11 at 08:37

6 Answers6

11

All of those methods basically allow injected code to be run on your system if you don't protect against it. There's a chance of you shooting yourself in the foot if you do use them without knowing what the dangers are. If you're fully aware of what you're doing, and you have no alternative but to use this method, then there isn't much else you can do in any case.

This question has a pretty comprehensive list of exploitable functions in PHP

Exploitable PHP functions

Community
  • 1
  • 1
JohnP
  • 49,507
  • 13
  • 108
  • 140
1

Really it's a matter of taste. It's really just having enough rope to hang yourself. As long as you are 100% sure that no users can input directly into an eval or exec statement, you're probably okay, but it's hard to make a case that there shouldn't be a different, safer way to do what you're trying.

Kyle Sletten
  • 5,365
  • 2
  • 26
  • 39
1

If your server is ever compromised, perhaps by a code injection attack from a poorly secured form or include() call then some little-used but very powerful php functions give the attacker just too much control over your entire system via exec(), so you can block these function completely in your ini file.

Quote php.ini

;This directive allows you to disable certain functions for security ;reasons.It receives a comma-delimited list of function ;names. This directive is NOT affected by whether Safe Mode is ;turned On or Off. disable_functions =

edit JohnP's link lists all the functions you should be wary of

Cups
  • 6,901
  • 3
  • 26
  • 30
1

Here is the post where author is asking why eval is dangerous: http://blog.joshuaeichorn.com/archives/2005/08/01/using-eval-in-php/, please read an answears, here another interesting and short article: http://www.hardened-php.net/suhosin/a_feature_list:eval_black_and_whitelist.html

IMHO the problem is that if you use function like eval or exec you need 100% knowledge what varable are passed to them. In case that exec can "ingerate" in your operating system it can be real dengerous.

  • exec-Personaly I'm using exec only for jobs that are not depend on user's input or untrusted data.
  • eval-Makes the code hard to understand, hard to develope and by using it, after a time you can have a real problem to find potential problems. It's seams also hard for testing...
  • preg_match-only problem that I know is here: http://blog.php-security.org/archives/76-Holes-in-most-preg_match-filters.html

Regards, Tom

tommy_from_breslau
  • 31
  • 3
1

there is no such thing as "dangerous" function. There are

  • sloppy programmers who don't handle user input properly
  • sloppy system administrators who don't secure their servers on the system level

Every php function can be "dangerous" if you don't take adequate security measures. This includes "echo" (XSS), "mail" (main injections), file functions (e.g. readfile(/etc/passwd) etc.

user187291
  • 53,363
  • 19
  • 95
  • 127
0

Well... I don't think preg_match is something so "dangerous". eval and exec on other hand are a bit bad. Especially the exec which is even mostly forbidden on hosting servers because it adds really HUGE HUGE security risks.

RRStoyanov
  • 1,162
  • 1
  • 13
  • 23
  • I say "so", I didn't say it's not at all :) Using the /e on preg_match is rarely used on code which is not write to be a exploit... Surly there are plenty of people which try to find any possible way to harm someone's site, but comparing `preg_match` to `exec`, I don't think `preg_match` is the worst one. For security... well, a lot of php functions are security vulnerable :) – RRStoyanov Jun 01 '11 at 07:56