I had no idea that PHP had such a completely insecure inclusion vulnerability. I'm not sure if Suhosin protects against these, but the feature list does mention limits on request variables :
http://www.hardened-php.net/suhosin/a_feature_list.html
As always, yes, it's very difficult to guarantee only harmless functions are called. One of the simplest ways would be to prevent execution of code in the web root directory. Usually, we put the code files outside www and disable file uploads (separate instance for that which will exclusively handle PUT requests).
To be fair, it's probably not a security vulnerability in most cases, because it's rare that serious code does the equivalent of `$func = $_GET['func']; $func($_GET['userinput']);`, but it certainly makes for nice backdooring.
Regardless, PHP in general was never designed for security of any sort.
I had no idea that PHP had such a completely insecure inclusion vulnerability. I'm not sure if Suhosin protects against these, but the feature list does mention limits on request variables : http://www.hardened-php.net/suhosin/a_feature_list.html
As always, yes, it's very difficult to guarantee only harmless functions are called. One of the simplest ways would be to prevent execution of code in the web root directory. Usually, we put the code files outside www and disable file uploads (separate instance for that which will exclusively handle PUT requests).