| group | subgroup | title | menu_title | menu_order |
|---|---|---|---|---|
php-developer-guide |
Security |
Non-secure functions |
Non-secure functions |
2100 |
Using functions that are known to be exploitable or non-secure can lead to remote code execution or weak cryptography. As a developer, you should avoid using functions that introduce vulnerabilities in your code.
The following is a list of {% glossarytooltip bf703ab1-ca4b-48f9-b2b7-16a81fd46e02 %}PHP{% endglossarytooltip %} functions that are known to be vulnerable and exploitable. Avoid using these functions in your code.
eval{:target="_blank"} - Usingevalis considered bad practice because of its ability to execute arbitrary PHP code{:target="_blank"}.serialize{:target="_blank"}/unserialize{:target="_blank"} - Attackers can create an exploit for these functions by passing a string with a serialized arbitrary object to theunserializefunction to run arbitrary code{:target="_blank"}.md5{:target="_blank"} - The algorithm for this function is known to have cryptographic weaknesses{:target="_blank"}. You should never use this function for hashing passwords or any other sensitive data.srand{:target="_blank"} - Using a predetermined number to seed the random number generator results in a predictable sequence of numbers{:target="_blank"}.mt_srand{:target="_blank"} - This function is a pseudo-random number generator (PRNG) and is not cryptographically secure{:target="_blank"}.