disable php function in vhost or multiple user environment

Providing php access to many user require patience plus security aware.

People can damage server with some php function like system, passthru etc.

php provide php.ini file, this file needed to disable some dangerous function.

some option for disable php function are :

system, exec, shell_exec, passthru, set_time_limit, error_log, ini_alter, dl, pfsockopen, openlog, syslog, readlink, symlink, link, leak, fsockopen, popen, escapeshellcmd, apache_child_terminate apache_get_modules, apache_get_version, apache_getenv, apache_note,apache_setenv,virtual

after get this information php must know about these fucntion by editing php.ini files. This file located in C:\windows (in my win xp)

Double click to open, click edit -> find enter  "disable_function"

Before edit, the line will like this

to disable the functions just add after = sign, into this :

; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_functions = "system, exec, shell_exec, passthru, set_time_limit, error_log, ini_alter, dl, pfsockopen, openlog, syslog, readlink, symlink, link, leak, fsockopen, popen, escapeshellcmd, apache_child_terminate apache_get_modules, apache_get_version, apache_getenv, apache_note,apache_setenv,virtual"

save the file and restart web server.

open new plain file and save it as info.php

open browser and type address for the file, ex :

http://localhost/info.php

after editing php.ini

by adding this, security improve will take action. Of course trade off in client side, some function not available

user try to view php configuration using phpinfo() 🙂