Filter malicious PHP code function

Question

I've created a CMS system that grabs website source code from FTP addresses and uploads it to the current server. The issue with this is I don't want to be uploading dangerous code that can control my server.

Is there any tried and tested functions that already exist to filter PHP code for malicious code?

Thanks in advance.

The real answer is: don't run arbitrary code on your server. Why would you want to do this? — Oliver Charlesworth, Dec 26 '11 at 17:09
It is an unfortunate necessity for the way my CMS system works. — Ally, Dec 26 '11 at 17:15
It allows my system to sit on top of any existing website. I'm not aware of any other CMS system that does that, usually you have to embed it in the code to manage the content. But thanks for your concern :) — Ally, Dec 26 '11 at 17:22

score 2 · Accepted Answer · edited May 23 '17 at 12:03

2

The issue with this is I don't want to be uploading dangerous code that can control my server.

Then don't do this. There is no 100% reliable way to exclude the possibility that code is malicious in some way.

That said, there is a list of exploitable PHP functions here on SO. But in your case, I'd still say - if you can't trust the code you are uploading, don't upload it. Find another way to do what you need to do.

edited May 23 '17 at 12:03

Community

1
1

answered Dec 26 '11 at 17:08

Pekka

442,112
142
972
1,088

Not entirely true: You could run it in a VM. – Oliver Charlesworth Dec 26 '11 at 17:10
@Oli yeah. It doesn't seem to be possible for the OP, though – Pekka Dec 26 '11 at 17:19
Thanks for this list it will be very helpful. I will simply filter out code with specific key words. I know this may break the uploaded website, but that is fine for simple content management. – Ally Dec 26 '11 at 17:20

Filter malicious PHP code function

1 Answers1