A PHP extension to disable eval()
and create_function()
.
phpize
./configure
make
sudo make install
Then add
extension=disableeval.so
to your php.ini
.
disableeval.enabled
(boolean, defaultOn
): whether to enable the extension.disableeval.disallow_assert
(boolean, defaultOn
): whether to disallowassert()
with a string argument (PHP 7 only).disableeval.intercept_compile_string
(boolean, defaultOn
): whether to use thezend_compile_string
hook to detect the usage ofeval()
. If this optoin is disabled, the extension will not be able to catchmb_ereg_replace
/mb_eregi_replace
with thee
flag in PHP 7.disableeval.aggressive
(boolean, defaultOff
): whether to react to all evaluated code (even the one generated by extensions or SAPIs). Works together withdisableeval.intercept_compile_string
.disableeval.mode
(integer, default 1): what to do on a policy violation:- 1 (
DISABLEEVAL_MODE_THROW
): throw anErrorException
exception; - 2 (
DISABLEEVAL_MODE_WARN
): display a warning; - 3 (
DISABLEEVAL_MODE_SCREAM
): display a warning that cannot be suppressed with the@
operator; - 4 (
DISABLEEVAL_MODE_BAILOUT
): emit a fatal error and abort the script.
- 1 (
For security reasons, all options are PHP_INI_SYSTEM
: that is, they can only be set in php.ini
or httpd.conf
.