Non-secure functions

Overview

Using functions that are known to be exploitable or non-secure can lead to remote code execution or weak cryptography. As a developer, you should avoid using functions that introduce vulnerabilities in your code.

PHP functions to avoid

The following is a list of PHP functions that are known to be vulnerable and exploitable. Avoid using these functions in your code.

• eval - Using eval is considered bad practice because of its ability to execute arbitrary PHP code.
• serialize/unserialize - Attackers can create an exploit for these functions by passing a string with a serialized arbitrary object to the unserialize function to run arbitrary code.
• md5 - The algorithm for this function is known to have cryptographic weaknesses. You should never use this function for hashing passwords or any other sensitive data.
• srand - Using a predetermined number to seed the random number generator results in a predictable sequence of numbers.
• mt_srand - This function is a pseudo-random number generator (PRNG) and is not cryptographically secure.