I’m storing php functions to a mySQL database from user input, these functions need to be able to be executed.
As we know, this could and will allow Mr hacker to turn a pretty website into Swiss cheese!
These functions are meant to be simple and don’t require any advanced php coding. They are more about handling a single array of data.
So if Mr hacker gets into the administrator section id like to filter out any php functions that could do serious damage before saving to the database.
Things like “exec, shell_exec, system, passthru, popen, proc_open, proc_close”, anything that can allow outside input like curl need to be removed.
So what else could be dangerous and should be removed?
I found this list as well:
http://blog.eukhost.com/webhosting/dangerous-php-functions-must-be-disabled/
apache_child_terminate
apache_setenv
define_syslog_variables
escapeshellarg
escapeshellcmd
eval
exec
fp
fput
ftp_connect
ftp_exec
ftp_get
ftp_login
ftp_nb_fput
ftp_put
ftp_raw
ftp_rawlist
highlight_file
ini_alter
ini_get_all
ini_restore
inject_code
mysql_pconnect
openlog
passthru
php_uname
phpAds_remoteInfo
phpAds_XmlRpc
phpAds_xmlrpcDecode
phpAds_xmlrpcEncode
popen
posix_getpwuid
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid
posix_setuid
posix_uname
proc_close
proc_get_status
proc_nice
proc_open
proc_terminate
shell_exec
syslog
system
xmlrpc_entity_decode
Ive decided to go for something like this:
http://mustache.github.com/#demo
This will allow my users format there data in there own way without direct php code.