Soaku Soaku - 2 months ago 10
PHP Question

Sharing access to use PHP for users - any tips?

I want to allow users to create own apps with php on my webpage. The problem is they have access to some dangerous commands like

chmod()
. I'm not sure what to do.

I want to run their apps with
eval()
, but I don't know much dangerous commands and I want to prevent from using any of them. So maybe anyone can make a function to run
die()
when there is dangerous content in the code? Or maybe give a list of commands that users shouldn't be able to run?

EDIT: I don't want to disable
eval()
. I want to prevent users from using functions that can be endanger the site.

EDIT: I don't own access to
php.ini
as I'm working on subdomain and there is one
php.ini
for whole domain. And I don't want to disable commands for whole site, just for one eval...

Answer

Don't. There is no way to do this safely.

PHP was not designed for this application. It has no way to filter function calls at runtime.

Filtering user-generated code is unlikely to be effective either. There are a lot of subtle ways to bypass all of the obvious approaches to filtering -- for instance, a function call can be concealed by using indirect function call syntax:

$fn = "system";
$fn("evil command");

or by using commands which you may not realize are equivalent to eval, such as assert, create_function, or even preg_exec in some versions of PHP.

Comments