To disable functions, mainly for security reasons, you can use the disable_functionsdirective in your php.iniconfiguration file.

要禁用功能，主要是出于安全原因，您可以disable_functions在php.ini配置文件中使用该指令。

But, as the documentation states :

但是，正如文档所述：

This directive must be set in php.ini For example, you cannot set this in httpd.conf.

该指令必须在 php.ini 中设置，例如，您不能在 httpd.conf 中设置。

I suppose this is too "internal" to be configurable anywhere else than in PHP... And as it's security related, it's up to the system administrator to configure it.

我想这太“内部”了，无法在 PHP 之外的任何其他地方进行配置......而且由于它与安全相关，因此由系统管理员来配置它。

Still, the best security measure is to write clean/secure code, filter all input, escape all output... And not let anyone run their own code on your server !

尽管如此，最好的安全措施是编写干净/安全的代码，过滤所有输入，转义所有输出......并且不要让任何人在您的服务器上运行他们自己的代码！

Afraid you're pretty much stuck using php.ini to disable most of those. However, it gets worse. eval()is technically not a function, it is a language construct, so it CANNOT be disabled using disable_functions. In order to do that, you would have to install something like Suhosinand disable it from there.

恐怕你很难使用 php.ini 来禁用其中的大部分。然而，情况变得更糟。eval()从技术上讲它不是函数，它是一种语言结构，因此不能使用disable_functions. 为了做到这一点，你必须安装类似Suhosin 的东西并从那里禁用它。

A good webmaster should consider a security review to be an essential part of site setup. Do not try to completely abstract this away, people are lazy enough about security already. If you are going to use tools (like a webhost), you should take the initiative to have at least a cursory knowledge of how to manage one responsibly.

优秀的网站管理员应该将安全视为网站设置的重要组成部分。不要试图完全抽象出来，人们对安全已经足够懒惰了。如果您打算使用工具（如虚拟主机），您应该主动至少粗略了解如何负责任地管理工具。

That said, there are some other things you can do to severely cripple most hack attempts, including:

也就是说，您还可以采取其他一些措施来严重削弱大多数黑客行为，包括：

-Disable base64_decode()using disable_functions. Now, there are ways around this, however the vast majority of hack scripts are generic in nature, and this will break about 95% of them as they require the existence of BOTH of these functions in order to operate properly. This does not mean that your server cannot be hacked, but in most cases it would incur the overhead of manually sniffing your server for vulnerabilities, and most hackers are playing the numbers and ain't got time for that (NOTE: some hackers do have time for that, this is not a magic bullet by itself).

- 禁用base64_decode()使用disable_functions. 现在，有一些方法可以解决这个问题，但是绝大多数 hack 脚本本质上都是通用的，这将破坏大约 95% 的脚本，因为它们需要同时存在这两个函数才能正常运行。这并不意味着您的服务器不能被黑客入侵，但在大多数情况下，它会产生手动嗅探服务器漏洞的开销，并且大多数黑客正在玩数字并且没有时间（注意：有些黑客确实有是时候了，这本身不是灵丹妙药）。

-Filter all input for common other exploit string patterns like <?php, which is frequently used to squeak by an opening php tag unnoticed. There are several such patterns. Best practice is to whitelist specific characters and reject all others on a per-input basis. At the very least, filter the aforementioned, null terminators, and possible sql injection strings such as '; --(do not assume that simply using pdo or mysqli is going to filter ALL injection attempts, there are still some ways to pull this off even if you are properly using prepared statements).

- 过滤所有输入以查找常见的其他漏洞利用字符串模式，例如<?php，它经常被打开的 php 标签用于在不被注意的情况下发出吱吱声。有几种这样的模式。最佳做法是将特定字符列入白名单，并在每次输入的基础上拒绝所有其他字符。至少，过滤前面提到的空终止符和可能的 sql 注入字符串，例如'; --（不要假设简单地使用 pdo 或 mysqli 将过滤所有注入尝试，即使您是正确使用准备好的语句）。

-Any directories that serve only media should have all script access disabled, and all uploads and media should be placed only in such a directory. It is better to whitelist only the acceptable media rather than blacklist scripts, as there are any number of ways to execute a script file (eg: php, php5, phtml, etc) which individually may or may not be available on any given server environment. You can do this with a simple .htaccess placed in the media directory similar to this:

- 任何只提供媒体服务的目录都应该禁用所有脚本访问，并且所有上传和媒体都应该只放在这样的目录中。这是更好地白名单，而不是黑名单脚本只有在可接受的媒体，因为有任意数量的方式来执行一个脚本文件（如：php，php5，phtml等），其分别可以或可能无法使用在任何给定的服务器环境。您可以使用放置在媒体目录中的简单 .htaccess 来做到这一点，类似于：

php_flag engine off
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .aspx .htm .html .shtml .sh .cgi
Options -Indexes -ExecCGI

<Files "\.(jpe?g|png|gif|bmp|tiff|swf|flv|mov|avi|mp4)$">
  order deny,allow
  deny from all
</Files>

This part can be dynamically written by php, so your application would be capable of securing sensitive directories in a manner similar to this, which can mitigate a great deal of hacker pain, as this is typically overlooked. I typically add a similar .htaccess to almost every Wordpress site I work on in the uploads directory, and have often wondered why this is not done out of the box, as it blocks a great deal of hack attempts and does not interfere with the application in any way that I have noticed.

这部分可以由 php 动态编写，因此您的应用程序将能够以类似于此的方式保护敏感目录，这可以减轻黑客的大量痛苦，因为这通常被忽视。我通常在上传目录中为我工作的几乎每个 Wordpress 站点添加一个类似的 .htaccess，并且经常想知道为什么这不是开箱即用的，因为它阻止了大量的黑客尝试并且不会干扰应用程序以我注意到的任何方式。

Unfortunately, if you are not on an apache server, you will need to find another solution (on IIS there is most likely an equivalent, but I am not aware of what it would be personally).

不幸的是，如果您不在 apache 服务器上，您将需要找到另一个解决方案（在 IIS 上很可能有一个等价的，但我不知道它会是什么个人）。

-You should also configure your .htaccess (or web.config/etc) to disable any access methods that are not needed for your specific application. If you are not doing RESTful web services, there is really no reason to allow PUTor DELETE, you should almost certainly also disable TRACE, and probably also don't really have any reason to leave OPTIONSor HEADenabled either. It should also be mentioned that all non-recognized connection methods by default resolve to GET, which means that from the command line I can do something like:

- 您还应该配置您的 .htaccess（或 web.config/etc）以禁用您的特定应用程序不需要的任何访问方法。如果您不使用 RESTful Web 服务，则确实没有理由允许PUT或DELETE，您几乎肯定也应该禁用TRACE，并且可能也没有任何理由离开OPTIONS或HEAD启用。还应该提到的是，默认情况下所有无法识别的连接方法都解析为GET，这意味着我可以从命令行执行以下操作：

curl -X BOOGITY -d arg=badstuff -d arg2=morebadstuff yoursite.com

In this example, BOOGITYis meaningless, however, your server will interpret this as:

在这个例子中，BOOGITY是没有意义的，但是，您的服务器会将其解释为：

curl -X GET -d arg=badstuff -d arg2=morebadstuff yoursite.com

However your application likely will not. In order to prevent this, you should configure your server to accept only GETas GET, and not allow it to be the default.

但是，您的应用程序可能不会。为了防止这种情况，您应该将您的服务器配置为仅接受GETas GET，而不允许将其作为默认值。

In most cases, the primary point is not to make it difficult to execute specific php patterns in your environment, the point is to prevent the inclusion of rogue code (either locally or externally) so it does not become an issue. If you are allowing the installation of modules or such into your CMS, sloppy programmers WILL eventually create exploits, which you cannot really do much about aside from enforcing pretty stringent API parameters that make it very difficult to do it poorly, but it can never be made impossible. Never underestimate the capacity of an offshore hack shop or self proclaimed "php ninja" to diligently work with your system in the most insecure or non-compliant way possible, create massive vulnerabilities, and to invent any number of roundabout hacks to do so that are actually harder to pull off than just doing it the right way.

在大多数情况下，主要的目的不是让在您的环境中执行特定的 php 模式变得困难，重点是防止包含流氓代码（本地或外部），因此它不会成为问题。如果你允许在你的 CMS 中安装模块或类似的东西，粗心的程序员最终会创建漏洞利用，除了强制执行非常严格的 API 参数之外，你实际上无能为力，这使得它很难做得很差，但它永远不会变得不可能。永远不要低估离岸黑客商店或自称为“php ninja”的能力，它们以最不安全或不合规的方式努力使用您的系统，从而制造大量漏洞，

/security rant.

/安全咆哮。

In short: you can't do that.

简而言之：你不能那样做。

But I think you don't really understand how eval and those functions are exploited. The problem occurs when programmers do not sanitize properly the ARGUMENTS that are passed to them.

但我认为你并没有真正理解 eval 和这些函数是如何被利用的。当程序员没有正确清理传递给他们的 ARGUMENTS 时，就会出现问题。

The php shell offender script that you mentioned is just a simple PHP script passing arguments to those functions. But the attackers already had a way of injecting/uploading the malicious script. If you are not using these functions at all nor passing arguments from user input, attackers can't run arbitrarily code on your server using eval() or relatives.

您提到的 php shell offender 脚本只是一个简单的 PHP 脚本，将参数传递给这些函数。但是攻击者已经有了注入/上传恶意脚本的方法。如果您根本不使用这些函数，也不从用户输入中传递参数，则攻击者无法使用 eval() 或相关函数在您的服务器上任意运行代码。

Are you going to be hosting this framework for your users? If you are allowing users to upload and run code then you have a bigger problem in your hands.

你打算为你的用户托管这个框架吗？如果您允许用户上传和运行代码，那么您将面临更大的问题。

Read about remote code execution and remote/local file inclusion here to learn more about attacks related to this: Common PHP vulnerabilities

在此处阅读有关远程代码执行和远程/本地文件包含的信息，以了解与此相关的攻击的更多信息：常见 PHP 漏洞

The disable_functions directive is only available in the php.ini configuration.

disable_functions 指令仅在php.ini 配置中可用。

To disable functions at runtime wouldn't make much sense, since you would be able to modify the disabled function list at runtime to re-enable functions as well.

在运行时禁用函数没有多大意义，因为您还可以在运行时修改禁用的函数列表以重新启用函数。

You can disable evalthrough https://github.com/mk-j/PHP_diseval_extensionand gets around the issue of suhosin not being php7 compatible/stable.

您可以通过https://github.com/mk-j/PHP_diseval_extension禁用 eval并解决 suhosin 与 php7 不兼容/稳定的问题。

Add this line to your php.ini (you Search for 'disable_functions')

将此行添加到您的 php.ini （您搜索“disable_functions”）

disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Then restart your php service (apache or php-fpm)

然后重启你的 php 服务（apache 或 php-fpm）