PHP 7.3 reached end of support in December 2021 and Adobe Commerce 2.3.x reaches end of support in September 2022. You may want to consider planning your upgrade now to Adobe Commerce 2.4.x and PHP 7.4.x to help maintain PCI compliance.

Writing secure code

Overview

Using PHP features that are known to be exploitable or non-secure can lead to remote code execution or weak cryptography. As a developer, you should avoid using features that introduce vulnerabilities in your code.

PHP functions to avoid

The following is a list of PHP functions that are known to be vulnerable and exploitable. Avoid using these functions in your code.

Standard PHP library classes to avoid

  • ArrayObject - Using ArrayObject class is not recommended because it contains unserialize method, which attackers can use to create an exploit.

    If you need to use the ArrayObject class, override the serialize/unserialize methods so that they use secure logic. Convert objects into arrays to serialize them, and reconstruct the objects using arrays during unserialization.

    You can use Serialize Library in framework for a secure way of serializing/unserializing data.