Filesystem and Directory Functions

Started by chinmay.sahoo, 12-24-2015, 00:42:23

Previous topic - Next topic

chinmay.sahooTopic starter

Most of these functions will be quite familiar to Unix users, as they closely replicate common system commands .

Many of the functions in this section are dangerous. Because they duplicate functions that can and should be performed from the local system, they can be a crаcker's bonanza without providing much value to legitimate users. Strongly consider disabling them using PHP's disable_functions directive (as discussed in the preceding section on file writing)!

The one piece of good news is that some of these functions will only work if the PHP process is running as the superuser. Because this is not the default case in the Web browser, presumably these functions are intended to be used by the scripting version of PHP, and only trusted users who know what they're doing are even in a position to shoot themselves in the foot this way. Of course, if you are foolish enough to run your Web server as root, you are doubly screwed.


TomClarke

#1
It's important to exercise caution when using certain functions in PHP that replicate common system commands. These functions can pose a security risk and may not provide much value to legitimate users. It is recommended to disable them using PHP's disable_functions directive.

On a positive note, some of these functions will only work if the PHP process is running as the superuser. Typically, this is not the case when using a web browser. These functions are intended for use with the scripting version of PHP and should only be used by trusted users who understand the potential risks involved. However, running your web server as root is generally seen as a foolish choice that can lead to even greater security vulnerabilities.


here are a few specific points to consider regarding the use of system commands in PHP:

1. Duplicate Functions: Many PHP functions closely replicate common system commands that can be executed directly from the local system. These functions may not provide much value to legitimate users and can be exploited by malicious individuals. It's important to evaluate whether these functions are necessary for your specific use case.

2. Risk of crаckers: Functions that replicate system commands can potentially attract malicious users or "crаckers." They can exploit vulnerabilities in these functions to gain unauthorized access to your system or perform other malicious activities. It's crucial to assess the security risks associated with using these functions.

3. Disable Functions: PHP provides a directive called disable_functions, which allows you to disable specific functions. This directive can help mitigate the risks associated with using dangerous functions. Consider disabling any unnecessary or high-risk functions to enhance the security of your PHP environment.

4. Superuser Permissions: Some of these system-command functions in PHP only work if the PHP process is running as the superuser (root). By default, web servers should not be run as root, as it can lead to severe security vulnerabilities. Ensure that your PHP process runs with appropriate permissions to limit the potential damage caused by executing system commands.

In summary, exercise caution when using functions that replicate system commands in PHP. Evaluate the necessity of these functions for your use case, consider disabling them using the disable_functions directive, and avoid running your web server as root to minimize security risks.

Here are two great articles on this topic. In this http://www.php.net/manual/fa/ref.filesystem.php you will find information about filesystem  functions and in this one http://ua2.php.net/manual/fa/ref.dir.php you can read information about directory functions!
Good luck!