PHP Security Code Review – Potentially Dangerous PHP Functions

The first set are inputs, not functions. 😀
See the PHP Language Reference for function docs

Form/Script Inputs

    $_
    $_GET
    $_POST
    $_REQUEST
    $_SERVER

Command execution

    shell_exec
    system
    exec
    popen
    passthru
    proc_open
    pcntl_exec

Code execution

    eval
    assert
    preg_replace |  grep “/e”
    create_function
    SQL injection
    $sql

Information disclosure

    phpinfo

Development functionality

    debug
    $_GET['debug']
    $_GET['test']

File inclusion

    file_include
    include
    require
    include_once
    require_once

Filesystem functions

    fwrite
    file_get_contents
    fopen
    glob
    popen
    file

2 responses to “PHP Security Code Review – Potentially Dangerous PHP Functions

  1. Pingback: PHP Security Code Review – Potentially Dangerous PHP Functions | Adam Muntner

Leave a comment