PHP Execution WordPress Plugin (Modifying)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Kev
Forum Newbie
Posts: 21
Joined: Tue Aug 25, 2009 9:11 pm

PHP Execution WordPress Plugin (Modifying)

Post by Kev »

Hi guys,

I have some WordPress blogs that I need to be able to execute PHP within the posts (in other words, I can type <?php echo data('Y'); ?> in the WordPress "New Post" editor and everyone will see in my blog entry... 2009).

There is a plugin called PHP Execution ( http://wordpress.org/extend/plugins/php ... on-plugin/ ) that allows this very thing.

I see this plugin as a potential security risk, however. If a hacker was to gain access to my WordPress admin area, then they have the ability to execute PHP code on my server, which could, in theory (I assume) do untold damage to my entire server (not just my WP blog).

The meat and potatoes of this plugin is the function which does the following (pretty self-explanatory):

Code: Select all

/**
* execute php inside post
*/
function execute_php($content)
{
    ob_start();
    eval("?>$content<?php ");
    $html = ob_get_contents();
    ob_end_clean();
    return $html;
}
I want to somehow modify this, if possible, to strip out any PHP functions such as mkdir(), rmdir(), chmod(), or any other commands that would be totally out of the ordinary for what my PHP uses would be within a blog post.

Any ideas how I can go about doing this? I can't use strip_tags($content, $allowed), because I plan on echo'ing a lot of javascript and html as well, and building an $allowed would be too difficult.

Is there perhaps any methods using .htaccess I could implement, that wouldn't break the intrinsic functionality of WP?

I'm looking for any and all suggestions and ideas you may have. I've looked at this for quite some time and can't quite figure out a solution. I also don't know if I'm just being overly paranoid about this particular plugin.

Thanks so much for your guidance and advice.
Post Reply