对涉及PHP安全方面的函数进行了归类，参照了很多文章和博客，在此表示感谢。 [code lang=“php”]1.include/require/require_once/include_once/file_get_contents 2.exec/system/popen/passthru/proc_open/pcntl_exec/shell_exec 3.eval/preg_replace/assert/call_user_func/call_user_func_array/create_function 4.GET/POST/COOKIE/SERVER/REQUEST/ENV/php://input/getenv/ 5.session/cookie 6.extract/parse_str/mb_parse_str/import_request_variables/unserialize 7.copy/rmdir/chmod/delete/fwrite/fopen/readfile/fpassthru/move_uploaded_file/ file_put_contents/unlink/upload/opendir/fgetc/fgets/ftruncate/fputs/fputcs 8.select/insert/update/delete/order by/group by/limit/in(/stripslashes/urldecode 9.confirm_phpdoc_compiled/mssql_pconnect/mssql_connect/crack_opendict/ snmpget/ibase_connect 10.echo/print/printf/vprintf/document.write/document.innerHTML/document.innerHtmlText 11.phpinfo/highlight_file/show_source 12.iconv/mb_convert_encoding[/code] 附带php.ini中涉及安全配置选项。 [code lang=“php”]safe_mode = off ( a lot of shit cannot be done with this on ) disabled_functions = N/A ( no one,we want all ) register_globals = on ( we can set variables by request ) allow_url_include = on ( for lfi/rfi ) allow_url_fopen = on ( for lfi/rfi ) magic_quotes_gpc = off ( this will escape ‘ “ and NUL’s with a backslash and we don’t want that ) short_tag_open = on ( some scripts are using short tags,better on ) file_uploads = on ( we want to upload ) display_errors = on ( we want to see the script errors,maybe some undeclared variables? ) open_basedir 限制访问目录 display_errors = off 显示错误信息[/code]