Menu
I want to know how to disable the eval modifier in PHP's regex system eg. preg_replace('/.*/e', $code, '.'). It's a potential exploit that can be used in place of eval if anyone manages to get dodgy code onto a server. I had a problem recently with a wordpress theme from woothemes that had a security hole that allowed hackers to upload a back door server admin type script.
I have this in my php.ini:
disable_functions = eval
Which prevented most of the damage that could've been done but I was wondering if I can do something similar to prevent all forms of 'eval' apart from the call_user_func_array() stuff?
628
The Suhosin extension provides an option to disable the /e modifier.
disable_functions = eval by the way won't do what you expect (as eval is not a function, but a language construct). Again the Suhosin extension provides an option to disable eval.
54
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
