php sandbox: how to implement safety

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
magrimm
Forum Newbie
Posts: 2
Joined: Thu Jun 18, 2009 2:03 pm

php sandbox: how to implement safety

Post by magrimm »

Hello.

I would like to find a safe way for external users to
type in PHP code and have it run using eval().

I understand the danger and I'm looking for a way
to minimize it. The only functions I want users to
be able to use are things like echo, while, if and
so on.

Is there a way to exclude potentially harmful
functions or use safe one?

Thanks in advance.
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: php sandbox: how to implement safety

Post by Eric! »

While I don't really understand why you would want to do this, I think you could make it safe by only allowing a subset of functions. However I think you could be subject to cross site scripting hacks if you allow echo depending on how you handle the data entry. Perhaps if you only allowed members into the sandbox that would restrict public hacks (redirections, etc) and you could validate users to keep them honest...somewhat.

The question of what type of subset and environment to use would be better asked in the security forum.

It seems like a lot of work to make a mini-php simulator.
magrimm
Forum Newbie
Posts: 2
Joined: Thu Jun 18, 2009 2:03 pm

Re: php sandbox: how to implement safety

Post by magrimm »

Eric! wrote:While I don't really understand why you would want to do this, I think you could make it safe by only allowing a subset of functions. However I think you could be subject to cross site scripting hacks if you allow echo depending on how you handle the data entry. Perhaps if you only allowed members into the sandbox that would restrict public hacks (redirections, etc) and you could validate users to keep them honest...somewhat.

The question of what type of subset and environment to use would be better asked in the security forum.

It seems like a lot of work to make a mini-php simulator.
OK.

Then I will ask it on the security forum.

Thanks for your input.
Post Reply