Page 1 of 1

Prevent function calls

Posted: Thu May 24, 2007 10:59 pm
by alex.barylski
I need to execute PHP without any support for function calls outside of internally defined.

Using it as a psuedo-language for a application.

Here is what I am thinking:

- Pass script to phpcli.exe along with the script in question and possibly the list of functions which I do not wish to support.

Here is the problem I see:

- There are literally an arbitrary number of functions made available so explicitly specifying which ones execute and which don't doesn't make sense.

Is there a way (using standard install PHP - no fancy extensions, etc) to make PHP interpret that part of it's ini as negated operation - meaning only allow execution of these, as opposed to don't allow execution of these.

Short of parsing the script file and striping out function calls, is there any other native approach I could use?

Posted: Fri May 25, 2007 12:20 am
by John Cartwright
You can define which functions you want disabled in the php.ini,
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

Posted: Fri May 25, 2007 1:01 am
by alex.barylski
Yes I know, but I want to only allow basic constructs (loops, etc) no external function calls. I'm using PHP as something of a pre-processor. It's theoretically impossible to list all available functions (because of the extenable nature of PHP w/ extensions and all) so I am looking for a way to reverse that functionality and say, these *are* the functions you can execute.

I'm thinking it's not possible from the reading I've done. :(

Posted: Fri May 25, 2007 5:10 am
by stereofrog
You basically need to parse the code into AST, remove or replace unwanted function calls and reconstruct the code back from AST.

The packages from pear/PHP branch like http://pear.php.net/package/PHP_ParserGenerator/ would be of some help