PHP ni lugha yenye nguvu, lakini functions fulani zinaweza kutumika vibaya na wavamizi kuingiza malware, kuendesha amri za server, au kuiba data zako.
Kwa hivyo, kuzima (disable) functions hatarishi ni hatua muhimu ya ulinzi.
Mfano wa functions hatarishi:
exec(), shell_exec(), system(), passthru(), proc_open(), popen()
eval(), assert(), create_function()
phpinfo() (inaweza kufichua version na settings)
🔧 1️⃣ Jinsi ya Kuzima Functions Hatarishi
Hakikisha una access ya php.ini. Kisha ondoa au ongeza functions kwenye disable_functions:
; php.ini
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,eval,assert,create_function,phpinfo
Hatua za Kuangalia:
php -i | grep disable_functions
Kwenye shared hosting, unaweza kutumia .user.ini au .htaccess kama huwezi ku-edit php.ini:
; .user.ini
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,eval,assert
🛠️ 2️⃣ Kuboresha Usalama Zaidi
✅ Limit File Upload Execution
Weka folder la uploads lisitumike kwa PHP execution:
<Directory "/var/www/html/uploads">
php_admin_flag engine off
</Directory>
✅ Fanya Input Validation
Angalia input zote zinazoingia kwenye server yako (POST, GET, COOKIE):
<?php
$user_input = $_POST['username'];
$clean = preg_replace("/[^a-zA-Z0-9_-]/", "", $user_input);
?>
🧰 3️⃣ Angalia Functions Zilizotumika Hatarishi
Hapa kuna script ya PHP inayokuonyesha kama functions hatarishi zinaweza kutumika:
<?php
$dangerous = ['exec','shell_exec','system','passthru','proc_open','popen','eval','assert'];
foreach($dangerous as $func) {
if(function_exists($func)){
echo "⚠️ Function $func iko hai, inaweza kuwa hatari!\n";
} else {
echo "✅ Function $func imezimwa.\n";
}
}
?>
🔍 4️⃣ Kumbuka Usalama Zaidi
Update PHP mara kwa mara ili kupata security patches.
Limit privileges za database na server kwa least privilege principle.
Enable Web Application Firewall (WAF) kama ModSecurity au Cloudflare.
Backup files kabla ya kufanya mabadiliko makubwa.
🌐 Rasilimali & Msaada
Tembelea makala kamili zaidi: https://www.faulink.com