PHP 7.3 reaches end of support in December 2021 and Adobe Commerce 2.3.x reaches end of support in April 2022. We strongly recommend planning your upgrade now to Adobe Commerce 2.4.x and PHP 7.4.x to help maintain PCI compliance.

Non-secure functions


Using functions that are known to be exploitable or non-secure can lead to remote code execution or weak cryptography. As a developer, you should avoid using functions that introduce vulnerabilities in your code.

PHP functions to avoid

The following is a list of PHP functions that are known to be vulnerable and exploitable. Avoid using these functions in your code.

  • eval - Using eval is considered bad practice because of its ability to execute arbitrary PHP code.
  • serialize/unserialize - Attackers can create an exploit for these functions by passing a string with a serialized arbitrary object to the unserialize function to run arbitrary code.
  • md5 - The algorithm for this function is known to have cryptographic weaknesses. You should never use this function for hashing passwords or any other sensitive data.
  • sha1 - It is not recommended to use this function to secure passwords. This hashing algorithm has been compromised. See the Password Hashing FAQ for details and best practices.
  • srand - Using a predetermined number to seed the random number generator results in a predictable sequence of numbers.
  • mt_srand - This function is a pseudo-random number generator (PRNG) and is not cryptographically secure.
  • include - Depends on implementation. If you specifically set the path, then it is secure. An attack could happen if you allow user input to determine the file path without sanitization or checks. For example include($_GET['file']);. The remote file may be processed at the remote server, but also on the local server. If the file from the remote server is processed there and outputted only, readfile() is much better function to use. Otherwise, special care should be taken to secure the remote script to produce a valid and desired code.