Geek Answers Handbook

How to deny the use of dangerous PHP functions?

Possible duplicate:
PHP: how to disable dangerous functions

Hi, this is my situation: I have to let my clients enter PHP code, but only safe functions like string function, date function, etc. Therefore, I need the list of PHP hazard functions to delete them by replacing a string before saving to a PHP file. Any suggestion?

+5
source share
5 answers

Forget about it. Reliable whitelist function is not possible in php. Example:

$x = 'e' . str_replace('y', 'x', 'yec');
...lots of code...
$x('format c:');

realistic options

+7

"-" php. php Excel . , , .

//

, Lisp

function lisp($x) {

    if(is_string($x)) {
        $re = '~\(([^()]*)\)~';
        while(preg_match($re, $x))
            $x = preg_replace_callback($re, 'lisp', $x);
        return trim($x);
    }

    $x = preg_split('~\s+~', $x[1]);
    $e = array_shift($x);
    if(!$x)
        return is_numeric($e) ?  floatval($e) : $e;

    switch($e) {
        case '+':  return lisp($x[0]) + lisp($x[1]);
        case '-':  return lisp($x[0]) - lisp($x[1]);
        case '*':  return lisp($x[0]) * lisp($x[1]);
        case '/':  return lisp($x[0]) / lisp($x[1]);

        case 'concat':  return lisp($x[0]) . lisp($x[1]);
    }

    return function_exists($e) ?
        call_user_func_array($e, array_map('lisp', $x)) : '';
}

$input = '
    (strtolower 
        (concat
            (strrev olleh) 
            (+ 22 20)))';

echo lisp($input); // hello42

;))

+2

PHP . . - PHP- . .

PHP- , . .

+1
source

What you expect to do is very hard work if you want to fix it. I started by parsing the php code entered, checking each function being called, disabling backticks , etc.

In other words: if you want to enable a subset of PHP, you must implement your own lexer (even if PHP provides you with a parser out of the box).

+1
source

More articles:


All Articles