How should I or should use php functions that are considered "dangerous"?

Question

How should I or should use php functions that are considered "dangerous"?

A few days ago I attended a seminar and they talked about the "dangerous" PHP functions. However, they did not say that we should use them. They are called eval(), preg_match(), exec()and much more.

Although I do not use them or do not use them often, sometimes I have to. Is it bad practice to use these features? Even if I know that where I use them, the user cannot contact him?

Edit: For preg_match () questions, check the following: preg_match () security hole

+3

php

Adam arold Jun 01 '11 at 7:46

source share

6 answers

, "" .

,
sloppy ,

php "", . "" (XSS), "" ( ), (, readfile (/etc/passwd) ..

+2

user187291 01 . '11 10:49

. , . , 100% , eval exec, , , , , , , .

+1

Kyle Sletten 01 . '11 7:51

- , , include(), , php exec (), ini .

php.ini

; , . -; . , , . disable_functions =

JohnP ,

+1

Cups 01 . '11 7:53

, , eval : http://blog.joshuaeichorn.com/archives/2005/08/01/using-eval-in-php/, , , : http://www.hardened-php.net/suhosin/a_feature_list:eval_black_and_whitelist.html

IMHO , eval exec, 100% - , . , exec "" , .

exec-Personaly exec , .
eval - , , , - . ...
preg_match-only, , : http://blog.php-security.org/archives/76-Holes-in-most-preg_match-filters.html

,

+1

tommy_from_breslau 01 . '11 8:02

Well ... I do not think that preg_matchthis is something "dangerous." evaland execon the other hand, a little bad. Especially exec, which is even prohibited on hosting servers, because it adds a really HUGE HUGE security threat.

0

RRStoyanov Jun 01 '11 at 7:50

source share

JohnP · Accepted Answer · 2011-06-01T07:49:50+0000

, . , , , , . , , , , .

PHP

How should I or should use php functions that are considered "dangerous"?

More articles: