User PHP Code Sandbox

Question

User PHP Code Sandbox

I want to restrict access to PHP functions that my users have access to.

For example, there is a $data object, and the user likes to use if for and echo .

Obviously letting him write PHP would be a serious vulnerability.

Is there a way to run this PHP in the sandbox, or would you recommend any lightweight PHP template engine?

+6

security php sandbox

jantimon Jul 23 '10 at 7:19

source share

6 answers

The only thing I know so far is runkit .

The runkit extension provides facilities for modifying constants, user-defined functions and custom classes. It also provides superglobal variables and embedded sub-interpreters via the sandbox.

Update:

I could find these two links regarding zend and runkit, which you should take a look at:

http://framework.zend.com/wiki/display/ZFPROP/Zend_Http_Server+-+Mat+Scales
http://www.dunfy.me.uk/?p=38

+4

Sarfraz Jul 25 '10 at 20:33

source share

Along the smarty lines, give twig a try!

There is also a very reliable extension system that allows you to enable / disable embedded or custom tags, paired parsers, nodes, etc. in the template language itself. Thus, users can have the basic logic (conditional statements, “functions” (blocks) and iterators) without resorting to the evils of eval.

+4

efritz Jul 26 '10 at 5:14

source share

Have you tried Smarty? http://www.smarty.net/

+2

Homer6 Jul 23 '10 at 7:24

source share

The PECL runkit extension provides a sandbox, but it might outsmart a little for what you want to do

+1

Mark baker Jul 23 '10 at 9:13

source share

The PHP Fat-Free Framework has a template engine that prohibits the use of PHP code and allows you to determine which functions can be used inside HTML templates.

There is also a real sandbox function that makes functions and includes files that are independent of others, i.e. the variables / functions in one included file are not known to others, so you can have a function with the same name as another include file. This can be useful for dysfunctional teams.

+1

stillstanding Jul 30 '10 at 11:18

source share

NikiC · Accepted Answer · 2010-07-30T11:18:59+0000

If you don't have your own server, you probably don't have runkit. But you have a (possibly) Tokenizer ! Using the Tokenizer, you can view this source code and abort if you find an invalid token. Here is an example of how to test an array using this . You could do the same for your purpose. The PHP documentation has a list of tokens . If you need help enabling or disabling tokens, please let me know.

€ dit: And obviously, I recommend using Twig . It is so nice - and has a sandbox!

User PHP Code Sandbox

More articles: