Disabling executable handling in PHP with disable_function

Jijith Rajan
Published on
12 Dec 2023
5 min read

The disable_function is used to stop certain PHP functions from executing.

There are some PHP functions, if gained access by an attacker, can do kernel level changes to the server and can make catastrophic effects on the web application.

Many servers don’t use “disable_function” on PHP. The disable_function allows the server to disable certain functions to upscale the security of the server.

PHP has a lot of functions which can be used to crack an application’s server if they are not used properly.

The “disable_functions” is not affected by safe mode and it can be set up in the php.ini file.


The code below is an example of disable_function.

disable_functions = "exec, system"

Disabling certain PHP functions using the disable_functions directive in the PHP configuration file (php.ini) can have various impacts on the behavior and security of your PHP applications and server environment.

What are the impacts of PHP disable_functions?

The specific impacts depend on which functions are disabled and how they are used in your codebase. Here are some potential impacts:

1. Security enhancement

The primary purpose of disabling functions is to enhance security by reducing the attack surface available to potential attackers.

By preventing the use of certain functions, you can mitigate the risk of code execution vulnerabilities and limit the potential for unauthorized access or manipulation of server resources.

2. Mitigation of Remote Code Execution (RCE) vulnerabilities

Some PHP functions, such as exec, system, passthru, and shell_exec, allow executing shell commands from within PHP scripts.

Disabling these functions can help prevent remote code execution vulnerabilities, where an attacker injects malicious code to execute arbitrary commands on the server.

3. Resource protection

Certain PHP functions might allow access to files or system resources that could potentially be abused by attackers.

Disabling functions like fopen, file_get_contents, and readfile can help protect sensitive files from being read or manipulated.

4. Reduced attack surface

Disabling unnecessary functions reduces the potential attack surface, making it harder for attackers to find vulnerabilities and exploit them.

This can be particularly important in shared hosting environments where multiple users have access to the same server resources.

5. Impact on application functionality

Disabling functions can impact the functionality of PHP applications, especially if those functions are used legitimately.

For example, if you disable mail function, your application might not be able to send email notifications.

6. Development and debugging

Some disabled functions might be used for debugging purposes during development. Disabling these functions could hinder the ability to diagnose and fix issues in your code.

7. Performance considerations

Depending on how PHP is implemented on your server, disabling certain functions might have minor performance benefits since those functions won’t be available for use.

It’s important to strike a balance between security and functionality when deciding which functions to disable.

You should carefully review the functions you plan to disable and consider the potential impacts on your application.

Additionally, keeping your server and PHP environment up to date with security patches is crucial, as disabling functions is just one aspect of overall security.

How can the use of disable_functions be prevented?

Preventing or mitigating potential risks associated with the use of disable_functions in PHP involves a combination of strategies aimed at enhancing security while maintaining the functionality of your applications.

Here are some steps you can take to effectively manage the use of disable_functions:

1. Whitelist approach

Instead of a blanket disabling of functions, consider implementing a whitelist approach.

Only disable functions that are known to be high-risk and unnecessary for your application. This allows you to strike a balance between security and functionality.

2. Regular code reviews and audits

Conduct thorough code reviews and audits of your PHP applications. Ensure that your code is free from vulnerabilities that could be exploited to bypass the disabled functions or perform unauthorized actions.

3. Input validation and sanitization

Implement robust input validation and sanitization practices to prevent common vulnerabilities like SQL injection, Cross-Site Scripting (XSS), and command injection.

By minimizing the risk of malicious input, you reduce the potential for attackers to exploit disabled functions.

4. Secure coding practices

Train your development team in secure coding practices. Educate them about the risks associated with the functions you’ve disabled and encourage the use of secure alternatives or workarounds.

5. Application firewalls

Utilize a Web Application Firewall (WAF) to monitor and filter incoming traffic for malicious patterns.

A WAF can help detect and block potential attacks that attempt to bypass the disabled functions.

6. Server hardening

Secure your server environment by following best practices for server configuration and permissions.

This includes regularly updating the operating system, web server software, and other components to address security vulnerabilities.

7. Regular updates

Keep your PHP version and extensions up to date.

8. Logging and monitoring

Implement robust logging and monitoring mechanisms to track and analyze application behavior.

This can help you detect suspicious activities and potential attempts to bypass disabled functions.

Remember that no security measure is foolproof, and it’s important to regularly review and update your security practices based on evolving threats and vulnerabilities.

A holistic approach to security, encompassing both preventive and detective measures, is crucial for maintaining a secure PHP environment.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.