Page 1 of 1

php sandbox: how to implement safety

Posted: Thu Jun 18, 2009 2:19 pm
by magrimm
Hello.

I would like to find a safe way for external users to
type in PHP code and have it run using eval().

I understand the danger and I'm looking for a way
to minimize it. The only functions I want users to
be able to use are things like echo, while, if and
so on.

Is there a way to exclude potentially harmful
functions or use safe one?

Thanks in advance.

Re: php sandbox: how to implement safety

Posted: Thu Jun 18, 2009 2:35 pm
by Eric!
While I don't really understand why you would want to do this, I think you could make it safe by only allowing a subset of functions. However I think you could be subject to cross site scripting hacks if you allow echo depending on how you handle the data entry. Perhaps if you only allowed members into the sandbox that would restrict public hacks (redirections, etc) and you could validate users to keep them honest...somewhat.

The question of what type of subset and environment to use would be better asked in the security forum.

It seems like a lot of work to make a mini-php simulator.

Re: php sandbox: how to implement safety

Posted: Fri Jun 19, 2009 9:31 am
by magrimm
Eric! wrote:While I don't really understand why you would want to do this, I think you could make it safe by only allowing a subset of functions. However I think you could be subject to cross site scripting hacks if you allow echo depending on how you handle the data entry. Perhaps if you only allowed members into the sandbox that would restrict public hacks (redirections, etc) and you could validate users to keep them honest...somewhat.

The question of what type of subset and environment to use would be better asked in the security forum.

It seems like a lot of work to make a mini-php simulator.
OK.

Then I will ask it on the security forum.

Thanks for your input.