Writing secure code
Using PHP features that are known to be exploitable or non-secure can lead to remote code execution or weak cryptography. As a developer, you should avoid using features that introduce vulnerabilities in your code.
PHP functions to avoid
The following is a list of PHP functions that are known to be vulnerable and exploitable. Avoid using these functions in your code.
evalis considered bad practice because of its ability to execute arbitrary PHP code.
unserialize- Attackers can create an exploit for these functions by passing a string with a serialized arbitrary object to the
unserializefunction to run arbitrary code.
md5- The algorithm for this function is known to have cryptographic weaknesses. You should never use this function for hashing passwords or any other sensitive data.
srand- Using a predetermined number to seed the random number generator results in a predictable sequence of numbers.
mt_srand- This function is a pseudo-random number generator (PRNG) and is not cryptographically secure.
Standard PHP library classes to avoid
ArrayObjectclass is not recommended because it contains
unserializemethod, which attackers can use to create an exploit.
If you need to use the
ArrayObjectclass, override the
unserializemethods so that they use secure logic. Convert objects into arrays to serialize them, and reconstruct the objects using arrays during unserialization.
You can use
json_decodePHP functions for a secure way of serializing/unserializing data.