http://pear.php.net/package/PHP_Parser
Can PHP call itself?
Moderator: General Moderators
But in a controlled environment such as the ones I mentioned, it would be very easy to track and confront anyone who did something remotely dangerous.kettle_drum wrote:But you must still assume that all users are out to get you and are stupid - a trusted user could do just as much damage by accident as a hacker could.
What would be needed is:
1. script entry logging, to see who ran what and at what time
2. detailed remote user logging (host/isp/user agent/time)
3. function detection, so functions like:
[php_man]unlink()[/php_man]
[php_man]exec()[/php_man]
[php_man]system()[/php_man]
[php_man]ini_set()[/php_man]
[php_man]highlight_file()[/php_man]
and etc cannot execute.
-
kettle_drum
- DevNet Resident
- Posts: 1150
- Joined: Sun Jul 20, 2003 9:25 pm
- Location: West Yorkshire, England
But its still only a computer, passwords can often easily be guessed, and so you cant assume that the person is who you think it is. And once you get access to the system it doesnt matter how much you log.
By creating a php file that you can get to on the web you can have anything run - create a file with exec() in and have it saved - then its not executing it in the current script, but when you visit that page. Make this script include some this code in hex and have it decode it before eval()ing it and the script doesnt even see that your adding a exec() to the file.
There is no safe way to have this done, and i would just us such a validater as tim suggests.
By creating a php file that you can get to on the web you can have anything run - create a file with exec() in and have it saved - then its not executing it in the current script, but when you visit that page. Make this script include some this code in hex and have it decode it before eval()ing it and the script doesnt even see that your adding a exec() to the file.
There is no safe way to have this done, and i would just us such a validater as tim suggests.
Thanks for all the input. I like the idea of writting the user input to a file and then executing the file. I assume either exec() or system() will do that (I'll research that). I think this would give me more control over the errors that the students' scripts cause (and the corresponding feedback I give them). I'm also going to check out Tim's parser.
Again, I appreciate all of your input. However you all need to keep in mind that I am talking about an educational environment, not a production environment. Currently, my students can place anything they want into a script, load it onto the class server and run it. I mean, infinit loops are fact of life for me. They happen all the time. I really don't see how what I am proposing is more dangerous than my current system. In fact, it is probably safer since I will have at least some control over what my students are doing, which I don't have now.
Plus, I will do this in a moduler fashion. For instance, many of my students struggle with arrays (especially associative arrays). So my first module will probably deal with arrays, and I will restrict the functions I allow to only those that manipulate arrays. This design along with password protecting the system should make it safe enough for my purposes.
Again, I appreciate all of your input. However you all need to keep in mind that I am talking about an educational environment, not a production environment. Currently, my students can place anything they want into a script, load it onto the class server and run it. I mean, infinit loops are fact of life for me. They happen all the time. I really don't see how what I am proposing is more dangerous than my current system. In fact, it is probably safer since I will have at least some control over what my students are doing, which I don't have now.
Plus, I will do this in a moduler fashion. For instance, many of my students struggle with arrays (especially associative arrays). So my first module will probably deal with arrays, and I will restrict the functions I allow to only those that manipulate arrays. This design along with password protecting the system should make it safe enough for my purposes.
Yeah I figured that much when I wrote my last post.tchenowe wrote:However you all need to keep in mind that I am talking about an educational environment, not a production environment. Currently, my students can place anything they want into a script, load it onto the class server and run it. I mean, infinit loops are fact of life for me. They happen all the time. I really don't see how what I am proposing is more dangerous than my current system. In fact, it is probably safer since I will have at least some control over what my students are doing, which I don't have now.
Well good luck with whatever option you choose to take.
Assuming you have the PEAR package PHP_Parser installed:
Code: Select all
<?php
// +---------------------------------------------------------------------------
// | phpparser.php
// |
// | Author: Tim Van Wassenhove <timvw@users.sourceforge.net>
// | Update: 2004-10-16 19:56
// |
// | A little script that will accept a php sourcecode, and parse it.
// | Makes use of the PEAR PHP_Parser (http://pear.php.net/package/PHP_Parser)
// +---------------------------------------------------------------------------
require_once('PHP/Parser.php');
// test if a file was posted
if (array_key_exists('codefile', $_FILES))
{
$result = PHP_Parser::parseFile($_FILES['codefile']['tmp_name']);
// test if no errors where raised while parsing
if (PEAR::isError($result))
{
echo "Code is invalid: ";
echo $result->getMessage();
}
else
{
echo "Code is valid.<br />";
echo highlight_file($_FILES['codefile']['tmp_name']);
}
}
?>
<form enctype="multipart/form-data" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
Send this file: <input name="codefile" type="file" />
<input type="submit" value="Validate Code" />
</form>as they say themselves, it's in "devel" status. devel < alpha < beta < stabletchenowe wrote:Thanks for the code snippet Tim. By the way, how stable is the parser? From what I read at the pear web sight it sounds like it is still in the development stage. However, it also looked like its been a while since that had been updated.
i've noticed it says there are errors, although the script itself seems to work.