Soaku Soaku - 1 year ago 64
PHP Question

Sharing access to use PHP for users - any tips?

I want to allow users to create own apps with php on my webpage. The problem is they have access to some dangerous commands like

. I'm not sure what to do.

I want to run their apps with
, but I don't know much dangerous commands and I want to prevent from using any of them. So maybe anyone can make a function to run
when there is dangerous content in the code? Or maybe give a list of commands that users shouldn't be able to run?

EDIT: I don't want to disable
. I want to prevent users from using functions that can be endanger the site.

EDIT: I don't own access to
as I'm working on subdomain and there is one
for whole domain. And I don't want to disable commands for whole site, just for one eval...

Answer Source

Don't. There is no way to do this safely.

PHP was not designed for this application. It has no way to filter function calls at runtime.

Filtering user-generated code is unlikely to be effective either. There are a lot of subtle ways to bypass all of the obvious approaches to filtering -- for instance, a function call can be concealed by using indirect function call syntax:

$fn = "system";
$fn("evil command");

or by using commands which you may not realize are equivalent to eval, such as assert, create_function, or even preg_exec in some versions of PHP.