PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Here is what I want to do. I want to enter php code into a text area and have it posted to a PHP script. The script takes the text area code, sends it to the PHP interpreter and processes the results. Anyone have a pointer to a web sight that talks about doing this? Thanks for your help.
Thanks, but I know how to post information to a php script (phppage.php). What I want to do is post an actual php code snippet (through a text area) to a script (say phppage.php) and have the script send the code snippet to the php interpreter and then process the results it get back from the interpreter.
You can do with eval() but as potsed said, if you dont check this code and make sure its completely safe and posted from a highly trusted source then it poses a HUGE security risk.
eval()...thanks. Yes it is a secuity issue. However, it will also make a great training tool. My students will be able to input code and get immediate feedback as to problems with the code. Sending the snippet to the interpreter will make my life easier, since now all my script needs to do is evaluate the results and provide the appropriate feedback to my students. However, the security issue is a point well taken. I will need to deal with this. Thanks for all your input. Any additional comments would be welcomed. In fact, specific attacks my script would need to guard against would be helpful. I can think of some, but I'm sure not all of the ways this could be exploited.
Yes, unlink would be dangerous. But if I understand this correctly, as long as the username IIS is running under does not have any write permissions then unlink will fail (permission denied). Is this correct.?
True....I would need to parse the input and look for infinite loops before I used the eval. Also, it looks like eval does not return error messages, it only returns false if the code snippet fails. I'll need to look into that also.
Maybe the textarea could write to a file (one for each student) that is then included into another file to be run? You still have issues with security (preventing execution if certain functions are used would be an idea) but you do get the error messages you would normally get.
The security risks are a lot more than unlink. You can do ANYTHING. You can exec() programs, or write a script to a file to be run, you could insert things into files/databases. Once you have the abilty to write and run scripts on a system you can do some damage.
But you must still assume that all users are out to get you and are stupid - a trusted user could do just as much damage by accident as a hacker could.