RE: blocking exec() silently

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Instruct ICC schrieb:
> > I was going to mention
> > http://php.he.net/manual/en/features.safe-mode.functions.php and ask 
> > you if you need any of those functions, but I prefer Nathan's answer.  
> > You may be able to set the error reporting in conjunction with 
> > disable_functions and be done.

> Date: Thu, 13 Sep 2007 20:30:52 +0200
> From: samy-delux@xxxxxx
> Hey,
> 
> Thanks for the replies!
> safe-mode is not an option unfortunately!
> But changing the Error reporting, is the first thing I wanted to do, but 
> when I asked if this was possible on this list, somebody replied, that 
> it this is not possible!
> 
> Could you point me to a way, how I can achieve, that the "this function 
> is disabled" error, without suppressing other error messages?
> 
> Regards,
> Samy

I just tested what I had in mind.  And it worked.  When I added phpinfo to disable_functions in php.ini and attempted to use it in a script, it was displayed as a warning.  So I modifed error_reporting in php.ini to not show warnings and I believe I achieved the results you want.  However, in a production environment, I think you should disable all error reporting to not tip your hand to a hacker.  I haven't verified this today, but I remember a situation where the PHP script would not display errors (or notices or warnings or ... whatever messages) in the web page, yet the message would still appeared in the Apache logs.

I just changed php.ini to: 
disable_functions = "phpinfo"
...
error_reporting  =  E_ALL & ~E_WARNING

http://php.net/manual/en/features.safe-mode.php
http://php.net/manual/en/function.error-reporting.php
http://php.net/manual/en/features.safe-mode.functions.php

Ahh, read this in php.ini:
; Print out errors (as a part of the output).  For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below).  Keeping display_errors enabled on a production web site
; may reveal security information to end users, such as file paths on your Web
; server, your database schema or other information.


Also Samy,
I saw something like this in someone's signature line on this list:


Because it destroys the context or flow of the discussion.

>Why should I not "TOP-POST"?

_________________________________________________________________
Can you find the hidden words?  Take a break and play Seekadoo!
http://club.live.com/seekadoo.aspx?icid=seek_wlmailtextlink

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux