Can PHP call itself?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

there is a php validator too... which only validates the code, but does not execute it.... will try to find url to the project ;)




http://pear.php.net/package/PHP_Parser
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

kettle_drum wrote:But you must still assume that all users are out to get you and are stupid - a trusted user could do just as much damage by accident as a hacker could.
But in a controlled environment such as the ones I mentioned, it would be very easy to track and confront anyone who did something remotely dangerous.

What would be needed is:

1. script entry logging, to see who ran what and at what time
2. detailed remote user logging (host/isp/user agent/time)
3. function detection, so functions like:

[php_man]unlink()[/php_man]
[php_man]exec()[/php_man]
[php_man]system()[/php_man]
[php_man]ini_set()[/php_man]
[php_man]highlight_file()[/php_man]
and etc cannot execute.
kettle_drum
DevNet Resident
Posts: 1150
Joined: Sun Jul 20, 2003 9:25 pm
Location: West Yorkshire, England

Post by kettle_drum »

But its still only a computer, passwords can often easily be guessed, and so you cant assume that the person is who you think it is. And once you get access to the system it doesnt matter how much you log.

By creating a php file that you can get to on the web you can have anything run - create a file with exec() in and have it saved - then its not executing it in the current script, but when you visit that page. Make this script include some this code in hex and have it decode it before eval()ing it and the script doesnt even see that your adding a exec() to the file.

There is no safe way to have this done, and i would just us such a validater as tim suggests.
tchenowe
Forum Newbie
Posts: 13
Joined: Fri Oct 01, 2004 5:35 pm

Post by tchenowe »

Thanks for all the input. I like the idea of writting the user input to a file and then executing the file. I assume either exec() or system() will do that (I'll research that). I think this would give me more control over the errors that the students' scripts cause (and the corresponding feedback I give them). I'm also going to check out Tim's parser.

Again, I appreciate all of your input. However you all need to keep in mind that I am talking about an educational environment, not a production environment. Currently, my students can place anything they want into a script, load it onto the class server and run it. I mean, infinit loops are fact of life for me. They happen all the time. I really don't see how what I am proposing is more dangerous than my current system. In fact, it is probably safer since I will have at least some control over what my students are doing, which I don't have now.

Plus, I will do this in a moduler fashion. For instance, many of my students struggle with arrays (especially associative arrays). So my first module will probably deal with arrays, and I will restrict the functions I allow to only those that manipulate arrays. This design along with password protecting the system should make it safe enough for my purposes.
User avatar
dethron
Forum Contributor
Posts: 370
Joined: Sat Apr 27, 2002 11:39 am
Location: Istanbul

Post by dethron »

what a teacher, wow, great.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

tchenowe wrote:However you all need to keep in mind that I am talking about an educational environment, not a production environment. Currently, my students can place anything they want into a script, load it onto the class server and run it. I mean, infinit loops are fact of life for me. They happen all the time. I really don't see how what I am proposing is more dangerous than my current system. In fact, it is probably safer since I will have at least some control over what my students are doing, which I don't have now.
Yeah I figured that much when I wrote my last post.


Well good luck with whatever option you choose to take.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Assuming you have the PEAR package PHP_Parser installed:

Code: Select all

<?php 

// +---------------------------------------------------------------------------
// | phpparser.php
// |
// | Author: Tim Van Wassenhove <timvw@users.sourceforge.net>
// | Update: 2004-10-16 19:56
// |
// | A little script that will accept a php sourcecode, and parse it.
// | Makes use of the PEAR PHP_Parser (http://pear.php.net/package/PHP_Parser)
// +---------------------------------------------------------------------------
require_once('PHP/Parser.php');

// test if a file was posted
if (array_key_exists('codefile', $_FILES))
{
    $result = PHP_Parser::parseFile($_FILES['codefile']['tmp_name']);
    
    // test if no errors where raised while parsing
    if (PEAR::isError($result))
    {
        echo "Code is invalid: ";
        echo $result->getMessage();
    }
    else
    {
        echo "Code is valid.<br />";
        echo highlight_file($_FILES['codefile']['tmp_name']);
    }
}

?>

<form enctype="multipart/form-data" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="30000" />
Send this file: <input name="codefile" type="file" />
<input type="submit" value="Validate Code" />
</form>
Steveo31
Forum Contributor
Posts: 416
Joined: Sun Nov 23, 2003 9:05 pm
Location: San Jose CA

Post by Steveo31 »

You could just make a function that will remove keywords such as unlink, unset, etc. Kinda like one of those SQL-injection preventors or "bad word" filters. Be kinda fun to make I think. If it's under control and is very secure, i.e. passwords, htaccess, etc, then I don't see much of a problem.
tchenowe
Forum Newbie
Posts: 13
Joined: Fri Oct 01, 2004 5:35 pm

Post by tchenowe »

Thanks for the code snippet Tim. By the way, how stable is the parser? From what I read at the pear web sight it sounds like it is still in the development stage. However, it also looked like its been a while since that had been updated.
User avatar
dimitris
Forum Contributor
Posts: 110
Joined: Wed Jan 14, 2004 3:47 am
Location: Athens, Greece

Post by dimitris »

Phenom wrote:
potsed wrote:wouldnt that have huge security issues??
Boy would I have lots of fun with this :) You are right it is a MAJOR security issue.
Definitely this could allow everything! :!:
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

tchenowe wrote:Thanks for the code snippet Tim. By the way, how stable is the parser? From what I read at the pear web sight it sounds like it is still in the development stage. However, it also looked like its been a while since that had been updated.
as they say themselves, it's in "devel" status. devel < alpha < beta < stable


i've noticed it says there are errors, although the script itself seems to work.
tchenowe
Forum Newbie
Posts: 13
Joined: Fri Oct 01, 2004 5:35 pm

Post by tchenowe »

OK Tim. I'll keep that in mind while I play with it. Thanks again.
Post Reply