Skip to main content

Insecure Use of Language/Framework API

This category covers the following PHP APIs:

Why is this important?

PHP, like any other programming language, has dangerous APIs. If these APIs are not used properly, it can have a catastrophic impact on your app. There are several APIs that can allow attackers to cause unintended behavior for your application.

Read below to find out how to fix this issues in your code.

Fixing Insecure Use of Function handling Functions

The following methods are dangerous if used incorrectly:

  • create_function
  • call_user_func
  • call_user_func_array
  • forward_static_call
  • forward_static_call_array
  • function_exists
  • register_shutdown_function
  • register_tick_function

Option A: Avoid User Input in Function handling Functions

  1. Go through the issues that GuardRails identified in the PR

  2. An example of an insecure usage of create_function() is shown below

    // Note: create_function is also deprecated as of PHP 7.2.0
    create_function($_GET['func']);

  3. Remove the user input from this

  4. Create a normal function that handles user input as arguments

  5. Ship it 🚢 and relax 🌴

Last updated on by Kim Carter