Non-secure functions
Overview
Using functions that are known to be exploitable or non-secure can lead to remote code execution or weak cryptography. As a developer, you should avoid using functions that introduce vulnerabilities in your code.
PHP functions to avoid
The following is a list of PHP functions that are known to be vulnerable and exploitable. Avoid using these functions in your code.
eval- Usingevalis considered bad practice because of its ability to execute arbitrary PHP code.serialize/unserialize- Attackers can create an exploit for these functions by passing a string with a serialized arbitrary object to theunserializefunction to run arbitrary code.md5- The algorithm for this function is known to have cryptographic weaknesses. You should never use this function for hashing passwords or any other sensitive data.srand- Using a predetermined number to seed the random number generator results in a predictable sequence of numbers.mt_srand- This function is a pseudo-random number generator (PRNG) and is not cryptographically secure.
