Dangerous PHP Functions Must be Disabled

Posted by at 7 April, at 11 : 46 AM Print

PHP Hosting

PHP stands for Hypertext Preprocessor is a powerful and popular server-side scripting language which is used for serving dynamic web pages. It is very simple to code and debug and supports several databases like MySQL, MS SQL and Oracle.

But, have you ever pondered that some of the PHP functions can be very dangerous for your server and data stored on it ?

When the PHP code is used in an improper way or any insecure php code, potentially it can messed up with a web hosting server and can simply be hacked by hackers. Insecure PHP code can literally harm your server data at the level you cannot even imagine it.

Using the insecure PHP code, as a security hole hackers could enable some very dangerous and powerful PHP functions and can take control over your web hosting server. There are many such php function which should be disabled in the PHP configuration file. Let’s check out the functions that should be disabled in the php configuration file right away on your web server.

Following is a list of dangerous php functions:


On the cPanel servers where PHP handler is configured to use DSO, PHP runs under nobody ownership. This may become a security hole and create major issue if you have given 777 permission. The 777 permission enables the “nobody” user to read, write and execute the file. So, its better to be careful with the permissions.

It is always recommended to set the permission to 755, so that no one can edit or change the files. The PHPsuexec function disallows the php scripts to run as 777 permissions and the files cannot be read as well. This function should always be enable for ensuring the maximum security.

PHP functions such as “exec” and “system” are always used to execute the external programs. Even a shell command can also be executed. If these two functions are enabled then a user can enter any command as input and execute into your server. The user can also delete all of your data simply by giving “rm -rf *” command. Even the user can enter any command simply by using (;) in the argument area. Thus, it is better to disable the “exec” and “system” functions in your php.ini configuration file.

Enter the following command in ssh to find your php.ini file:

[email protected] [~]# php -i | grep php.ini

Mostly, you will get it in the /etc/php.ini directory or you may also get in /usr/local/lib/php.ini

Enter the following command to edit the file using your favorite editor. I have used VI editor here:

[email protected] [~]# vi /etc/php.ini

Search for the following text “disable_functions” in the php.ini file.

disable_functions: is a directive used to disable the insecure php functions.

Once you find the “disable_functions” directive in the configuration file, modify the disable_functions=”” as shown below:

disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”

The above mentioned changes can be applied on both Linux as well as Windows servers.

Once you modify the php.ini configuration file, you will need to restart the Apache web server on Linux server and IIS web server on Windows server for changes to take effect.

After disabling the above dangerous php functions, you may encounter a problem with your web applications. For example: when you disable the “shell_exec” and visit Fantastico in the cPanel, you may see the below error:

Warning: shell_exec() has been disabled for security reasons in /tmp/cpanel_phpengine.*.* on line *

In this case, you should run the following from SSH:


The above command will install a copy of PHP to use with the cPanel/WHM backend and its addons like Fantastico.

Like this post ?

Share on your Social Networking Profile ( Facebook, Twitter & Google+ ) and get a flat 10% Recurring discount on our VPS Hosting and Dedicated Servers.

Email us the shared link at : [email protected] or speak to our live chat operator now, by clicking on the “Live Chat” Scroller on the left-hand side of this page and we will provide you with the discount Coupon right away!

Be Sociable, Share!

Mac Wilson

Mac Wilson is a technology writer and a Sales and Marketing Executive at eUKhost Ltd. He loves to write about latest technologies and trends just like cloud computing which are changing the way people do business.

To know more about our services and solutions, kindly visit eUKhost's Official Website.

Latest posts by Mac Wilson (see all)

Industry News Web Hosting , , ,

Related Posts


  1. driver taylor made r11 golf drivers along with the list continues on 2v | acupuncture and more, 3 years ago

    […] cleaning furniture, though,burner taylor made,g25 ピン ゴルフドライバーは、おそらく確かである 1d, make sure you spot test first for color fastness using a handheld steamer using a small place this […]

  2. louboutin schuhe salechristian louboutin être le meilleur jeu en raison d | Articles Worldwide, 3 years ago

    […] Je ne pouvais pas accepter,christian louboutin online shop, c’est aussi vrai. Tempêtes maman à dos, criant le chemin complet à propos précisément comment Vous devez partir , pas de menaces, pas de menaces. J’ai essayé d’apaiser la fille vers le bas et expliquer que nous ne pouvons être trouvés dans des produits entrées par conséquent, il n’a pas «ajouter à revoir s’ils ne peuvent pas se tenir derrière la qualité du café,chaussures louboutin pas cher-louboutin shoes die internatio. […]

  3. louboutin pas cher *, 3 years ago

    […] phones 9500 Thunder, Blackberry 9500, 9500 Mastery, Enterprise Cell phone Related articles: Dangerous PHP Functions Must be Disabled | PHP Hosting http://christianradionewsroom.org/ou…hp/2012/09/01/ […]

  4. christian louboutin pas cher louis vuttion handbags garantie besonderheit | | wedding blog | Travel blog | | Xincha9zXincha9z, 3 years ago

    […] bisschen Edelmetall, sollte es einen Stempel Platte mit einem Unentschieden Angabe 925 zu genießen,louis vuitton handbags – louis vuttion bags viacom sechsten. Im Falle das Stück erscheint ebenso wie es nicht enthält 925-Markierung durch Sterling Silber […]

Post Your Comment

You must be logged in to post a comment.