Page 366 - Open Soource Technologies 304.indd
P. 366
Web Technologies-I
Notes • This realm-mangling took a little vacation in PHP 4.0.x but is back in PHP 4.1 and later.
• The functions set_time_limit( ), dl( ), and shell_exec( ) are disabled, as is the backtick (``)
operator.
To configure safe_mode and the various related settings, you can set the serverwide default
in your php.ini file like this:
safe_mode = On safe_mode_include_dir = /usr/local/php/include safe_mode_exec_dir = /
usr/local/php/bin safe_mode_gid = On safe_mode_allowed_env_vars = PHP_ safe_mode_
protected_env_vars = LD_LIBRARY_PATH
Alternately, you can set these from your httpd.conf file using the php_admin_value directive.
Remember, these are system-level settings, and they cannot be set in your .htaccess file.
<VirtualHost 1.2.3.4> ServerName domainA.com DocumentRoot /web/sites/domainA php_
admin_value safe_mode On php_admin_value safe_mode_include_dir /usr/local/php/include
php_admin_value safe_mode_exec_dir /usr/local/php/bin </VirtualHost>
14.5 PHP Code
With the eval( ) function, PHP allows a script to execute arbitrary PHP code. Although it can be
useful in a few limited cases, allowing any user-supplied data to go into an eval( ) call is asking
to be hacked. For instance, the following code is a security nightmare:
<html>
<head>
<title>Here are the keys...</title>
</head>
<body>
<?php
if ($code)
{
echo “Executing code...”;
eval(stripslashes($code)); // BAD!
}
?>
<form>
<input type=”text” name=”code” />
<input type=”submit” name=”Execute Code” />
</form>
</body>
</html>
This page takes some arbitrary PHP code from a form and runs it as part of the script. The running
code has access to all of the global variables for the script and runs with the same privileges as
360 LOVELY PROFESSIONAL UNIVERSITY
