Page 1 of 1

PHP Execution WordPress Plugin (Modifying)

Posted: Wed Sep 30, 2009 2:07 pm
by Kev
Hi guys,

I have some WordPress blogs that I need to be able to execute PHP within the posts (in other words, I can type <?php echo data('Y'); ?> in the WordPress "New Post" editor and everyone will see in my blog entry... 2009).

There is a plugin called PHP Execution ( http://wordpress.org/extend/plugins/php ... on-plugin/ ) that allows this very thing.

I see this plugin as a potential security risk, however. If a hacker was to gain access to my WordPress admin area, then they have the ability to execute PHP code on my server, which could, in theory (I assume) do untold damage to my entire server (not just my WP blog).

The meat and potatoes of this plugin is the function which does the following (pretty self-explanatory):

Code: Select all

/**
* execute php inside post
*/
function execute_php($content)
{
    ob_start();
    eval("?>$content<?php ");
    $html = ob_get_contents();
    ob_end_clean();
    return $html;
}
I want to somehow modify this, if possible, to strip out any PHP functions such as mkdir(), rmdir(), chmod(), or any other commands that would be totally out of the ordinary for what my PHP uses would be within a blog post.

Any ideas how I can go about doing this? I can't use strip_tags($content, $allowed), because I plan on echo'ing a lot of javascript and html as well, and building an $allowed would be too difficult.

Is there perhaps any methods using .htaccess I could implement, that wouldn't break the intrinsic functionality of WP?

I'm looking for any and all suggestions and ideas you may have. I've looked at this for quite some time and can't quite figure out a solution. I also don't know if I'm just being overly paranoid about this particular plugin.

Thanks so much for your guidance and advice.