Home/ Questions/Q 3282754
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T19:57:49+00:00

I’m making a small file editor and the only kicker is I don’t want

  • 0

I’m making a small file editor and the only kicker is I don’t want the people who have access to it do use dangerous functions like unlink chdir exec and I’m sure there’s 100 more they shoudln’t be able to use.

I was thinking of just making an array of dangerous functions I don’t want them to be able to use and when they save the file just str_replacing them out but the problem with that is what if I leave out several dangerous functions?

So with that I was hoping that either A) someone could give me a list of functions that people could abuse within PHP, OR B) give me a better solution to this problem.

Note I’m not the server admin so I’d only be able to use htaccess if you can help with the latter

Dave

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you ask me, any attempt to parse this out on source file level is hopeless.

    Consider

    $eval_code = base64_decode("ZXZhbA==");
$eval_code(base64_decode("ZXhlYygicnggLXJmIC8iKTs="));   
// Will execute "eval("exec('rm -rf /'")", contains typo to prevent accidents

    Just one of hundreds of workarounds to trick your parser….

    The only way to block functions reliably is using the disable_functions php.ini directive. This is how many web providers disable potentially dangerous functions. Sadly, this is only accssible if you are the server administrator.

    If you can’t secure your system on that level, don’t let your users write PHP code. It’s too dangerous.

    • 0