How to disable mysql function in php

Question

I am working on a project like codepad.org that inputs a php code and compile it and give error or output

I want to disable some functions like mysql_query and if anybody uses it then want to show some warning like mysql_query() is disabled for some security reasons

How can I disable the functions ?

Answer 1

On shared hosting you still sometime have the opportunity to compile your own PHP and install it in your home directory. By doing so, you could disable some libraries at compile time. And have access to your own php.ini corresponding to your own installation of PHP.

Most of the time on shared hosting, this will imply to run your PHP scripts as CGI. With big performances penalties.

BTW, you mentioned a concern about SQL Injection. This is "abusing" your code to perform unwanted queries. This is not calling an unexpected SQL function. That latter is code injection and could be possible, for example, if you blindly execute code from untrusted sources (using eval() just for mentioning that one). If you have such security holes -- you should rework you application instead of only relying on "clever configuration" or "patches" to prevent abuses.

Answer 2

My guess is to remove the extensions in php.ini:

Change:

extension=php_mysql.dll
extension=php_mysqli.dll 

To:

;extension=php_mysql.dll
;extension=php_mysqli.dll

Update:

Probably you can block the IP address of your MySQL server using .htaccess, so users will not be able to connect to it.

Answer 3

in php.ini

set safe_mode on/yes

then:

disable_functions = mysql_connect,system,exec,fopen,fputs,file_put_contents,mysql_query

on shared server you probably won't be able to do this without insecuring your own virtual root. .htaccess is limited according to server owner settings

in .htaccess you can change php flags like this:

php_flag disable_functions = mysql_connect,system,exec,fopen,fputs,file_put_contents,mysql_query

(maybe without the "=")

it still depends on the server config tho