How to safely allow user to input php code?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
betatester
Forum Newbie
Posts: 3
Joined: Thu Oct 02, 2008 12:25 pm

How to safely allow user to input php code?

Post by betatester »

Hi all,

I have a special requirement, where the web application must allow the user to enter certain snippets of source code - java, php, sql - almost all programming languages on the planet.

User enters the code into a text area, it's stored in a mysql database, later retrieved and displayed in an html <pre></pre> element.

Now how should I proceed with properly sanitizing, filtering, displaying etc? My PHP knowledge is very limited (Im not a PHP coder but understands the syntax etc etc...).

I tried with sanitizing the input data using strip_tags but later realized that it is not what I actually wanted. strip_tags just removed certain portions of the user input text, which is not my aim. For my application to work, all user input data should be stored and displayed as it was entered.

Guys, could you please guide me in the approach I should take?
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: How to safely allow user to input php code?

Post by The_Anomaly »

The others might know better than me, but you just need to escape it really well. If it's fully escaped, it doesn't matter what the user inputs, it's all treated as input and therefore can't be used maliciously.

I've always used PDO (PHP Data Objects) for all of my Database work, and with bound parameters for all of my queries. You get full SQL Injections protection for free, and some other nice features (i.e. database abstraction.).

To quote OWASP:
Open Web Application Security Program wrote: Do not use simple escaping functions, such as PHP's addslashes() or character replacement functions like str_replace("'", ""). These are weak and have been successfully exploited by attackers. . For PHP, use mysql_real_escape_string() if using MySQL, or preferably use PDO which does not require escaping
EDIT: By the way, if you're allowing a user to input text (your code) and then displaying it to other users, you're at a high risk for XSS attacks. Check this out if you need to know more about that.
betatester
Forum Newbie
Posts: 3
Joined: Thu Oct 02, 2008 12:25 pm

Re: How to safely allow user to input php code?

Post by betatester »

Hi all,

I finally settled for:

Code: Select all

$string = mysql_real_escape_string(addslashes(htmlspecialchars(trim($source))));
and it seems to work fine. Do you experts have any suggestion on this. Can this code be exploited somehow. If yes, kindly tell me how it can be made better.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How to safely allow user to input php code?

Post by Mordred »

Try it with a single \
betatester
Forum Newbie
Posts: 3
Joined: Thu Oct 02, 2008 12:25 pm

Re: How to safely allow user to input php code?

Post by betatester »

It appears perfectly. 8)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How to safely allow user to input php code?

Post by Mordred »

With the double escaping? So you do stripslashes() on stuff coming from the database?
Post Reply