Detecting Function Calls

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Detecting Function Calls

Post by alex.barylski »

If your on a shared host, your pretty much hosed...very little you can do...

Short of parsing any cusotm modules uploaded -- before they are processed by your framework/application/whatever and possibly removing or stubbing them out with wrapper functions.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Detecting Function Calls

Post by kaisellgren »

PCSpectra wrote:Short of parsing any cusotm modules uploaded
Finally a noteworthy suggestion, thanks!
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Detecting Function Calls

Post by alex.barylski »

I've built a few CMS in my time so I can only guess at what your trying to accomplish. :P

What I have done in the past (quite hackishly) was use token_get_all() and searched for restricted functions and replaced them with a funciton of the same name but prefixed with an 'underscore' -- the stubbed functions are invoked and calls can be logged, trigger alerts for a system admin, etc.

EDIT | Not sure about security of such an approach. If you dynamically construct the name of a function I think your pretty much screwed without runkit extension.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Detecting Function Calls

Post by kaisellgren »

PCSpectra wrote:I've built a few CMS in my time so I can only guess at what your trying to accomplish. :P
I see.
PCSpectra wrote:If you dynamically construct the name of a function I think your pretty much screwed without runkit extension.
Don't worry, I know what I am doing now :)

Btw, how would you go for tokenizing functions inside a file? First strip out comments, then replace \s+ with one space and then look for a function-like pattern?
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Detecting Function Calls

Post by josh »

Doesnt smarty allow users to run whitelisted code? I believe it has a method for proxying function calls, actual PHP does not run within the template. You could also "embed" the PHP parser, I don't think regular expressions are going to cut it.

For instance how do you catch:

Code: Select all

 
$str = 'IeNxNeOcCent'; // ( "innocent" line of code )
$cmd = '';
for( $i =1; $i<=strlen(str);$i+=2)
   $cmd .= $str[$i]; // calls exec() thru 'reflective' syntax
$cmd();
 
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Detecting Function Calls

Post by alex.barylski »

Btw, how would you go for tokenizing functions inside a file? First strip out comments, then replace \s+ with one space and then look for a function-like pattern?
No regex needed. You simply iterate the array of tokens until you find one that matches the function call you wish to stub/replace/rewrite. Re-assembling the code from the token list when complete.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Detecting Function Calls

Post by kaisellgren »

PCSpectra wrote:No regex needed. You simply iterate the array of tokens until you find one that matches the function call you wish to stub/replace/rewrite. Re-assembling the code from the token list when complete.
Hmm yeah I guess that will do.

@Josh: I am fighting against accidents, not cunning coders. :wink:
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Detecting Function Calls

Post by josh »

PCSpectra wrote:No regex needed. You simply iterate the array of tokens until you find one that matches the function call you wish to stub/replace/rewrite. Re-assembling the code from the token list when complete.
Hmm that work but how do you get the tokens? Does PHP really have a feature like that without implementing as an extension? I guess a regex based solution would protected against "accidents" but you it wouldn't be sufficient for a "cunning programmer"
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Detecting Function Calls

Post by John Cartwright »

josh wrote:
PCSpectra wrote:Does PHP really have a feature like that without implementing as an extension?
http://ca.php.net/token_get_all
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Detecting Function Calls

Post by josh »

Interesting, thanks.
Post Reply