Can PHP call itself?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

tchenowe
Forum Newbie
Posts: 13
Joined: Fri Oct 01, 2004 5:35 pm

Can PHP call itself?

Post by tchenowe »

Here is what I want to do. I want to enter php code into a text area and have it posted to a PHP script. The script takes the text area code, sends it to the PHP interpreter and processes the results. Anyone have a pointer to a web sight that talks about doing this? Thanks for your help.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

<form name="formname" method="POST" action="phppage.php">

notice the action
tchenowe
Forum Newbie
Posts: 13
Joined: Fri Oct 01, 2004 5:35 pm

Post by tchenowe »

Thanks, but I know how to post information to a php script (phppage.php). What I want to do is post an actual php code snippet (through a text area) to a script (say phppage.php) and have the script send the code snippet to the php interpreter and then process the results it get back from the interpreter.
User avatar
potsed
Forum Commoner
Posts: 50
Joined: Sat Oct 09, 2004 12:00 pm
Location: - South Africa

Post by potsed »

wouldnt that have huge security issues??
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

You can do with eval() but as potsed said, if you dont check this code and make sure its completely safe and posted from a highly trusted source then it poses a HUGE security risk.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

potsed wrote:wouldnt that have huge security issues??
Boy would I have lots of fun with this :) You are right it is a MAJOR security issue.
tchenowe
Forum Newbie
Posts: 13
Joined: Fri Oct 01, 2004 5:35 pm

Post by tchenowe »

eval()...thanks. Yes it is a secuity issue. However, it will also make a great training tool. My students will be able to input code and get immediate feedback as to problems with the code. Sending the snippet to the interpreter will make my life easier, since now all my script needs to do is evaluate the results and provide the appropriate feedback to my students. However, the security issue is a point well taken. I will need to deal with this. Thanks for all your input. Any additional comments would be welcomed. In fact, specific attacks my script would need to guard against would be helpful. I can think of some, but I'm sure not all of the ways this could be exploited.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I would mainly be concerned with things like

[php_man]unlink[/php_man]
tchenowe
Forum Newbie
Posts: 13
Joined: Fri Oct 01, 2004 5:35 pm

Post by tchenowe »

Yes, unlink would be dangerous. But if I understand this correctly, as long as the username IIS is running under does not have any write permissions then unlink will fail (permission denied). Is this correct.?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Not quite sure, I believe you are correct

but things like never ending loops can serious reduce your server performance. too many security risks to name..
tchenowe
Forum Newbie
Posts: 13
Joined: Fri Oct 01, 2004 5:35 pm

Post by tchenowe »

True....I would need to parse the input and look for infinite loops before I used the eval. Also, it looks like eval does not return error messages, it only returns false if the code snippet fails. I'll need to look into that also.
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

Maybe the textarea could write to a file (one for each student) that is then included into another file to be run? You still have issues with security (preventing execution if certain functions are used would be an idea) but you do get the error messages you would normally get.

Mac
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

The security risks are a lot more than unlink. You can do ANYTHING. You can exec() programs, or write a script to a file to be run, you could insert things into files/databases. Once you have the abilty to write and run scripts on a system you can do some damage.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

This is WAY to much of a security threat to put online and publicly available.

But if this is a local intranet, or a password protected area on an online site, then why not.
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

But you must still assume that all users are out to get you and are stupid - a trusted user could do just as much damage by accident as a hacker could.
Post Reply