Stripping dangerous code from eval? probably not possible..

[yonta]

Hi:)

i would like to build something like this : <a href="http://tryruby.hobix.com">try ruby in your browser</a> but using php (the language to learn) and flash (the interface). Basically a try php in your browser. The idea is to learn a bit more flash and php. It's all almost done but the problem is how do i stop the user from  writing code that exposes for example my site's password, or deleting all files, etc..

I would like to allow only stuff like echo, print, array but not stuff like fopen, fwrite, unlink and a whole bunch of other functions or global variables. I would still like that users could make up their own variables names, instead of strictly following a tutorial i would write - this would allow me to predict everything that could be written and so i could validate the code string first before using eval on it, but this is not how the the try ruby works. You can input any word as a variable.

I'm thinking that this is not actually possible but maybe someone knows of a solution?

Thanks for any help

[Joe Haley]

You could use a complex system of regular expressions to only allow specific functions, and specific input into those functions.

[yonta]

OK.. Don't really understand simple regular expressions, much less complex ones..

Thanks anyway

[Joe Haley]

http://www.regular-expressions.info/

There are many, many great places to learn about regular expressions. Try reading up on em, theyre quite usefull.

[Orio]

Create an array with all of the functions names you dont want people to use, then loop thru it and check if the vlaues are in that string.
Example:
[code]<?php
$input=$_POST['input']; //$input is the code the user wants to execute

$forbidden=array("unlink", "header", "session", "mysql"); //Write all the words you want to check, you can also write things like "mysql" to prevent all  mysql functions.

foreach($forbidden as $word){
if(strstr($input, $word)){die("Error- you used one of the forbidded functions");}
}

//rest of code
?>[/code]


But I think the whole idea of letting the user do whatever they want sounds unsecure. I mean, the user can make lots of long loops and such, and make your server slow. It's hard to control.

Orio.

[448191]

You don't need regex (although I agree it can be useful). Just use an array of [b]functions to allow [/b] and treat all others as strings. Be careful what functions to allow. Distrust any user input (as always).

You can't possibly check for al functions you want to exclude, because:
1) There are a lot.
2) Users won't directly be using the php function, but a function or method you will have to write that produces a specific result in the visitors' browser.

You have to be pretty sure about this, it sounds like a lot of work.

[ShogunWarrior]

If you can modify your PHP INI with [b]ini_set[/b] then you can set safe mode on ([b]safe_mode[/b]), set a list of disabled functions with ([b]disable_functions[/b]) and ([b]disable_classes[/b]).

[448191]

[quote author=ShogunWarrior link=topic=101568.msg402190#msg402190 date=1153691381]
If you can modify your PHP INI with [b]ini_set[/b] then you can set safe mode on ([b]safe_mode[/b]), set a list of disabled functions with ([b]disable_functions[/b]) and ([b]disable_classes[/b]).
[/quote]

Unfortunatelly, that will also disbable the functions and build-in classes for all scripts. I can imagine you probably need many functions in your scripts that you don't want visitors to use.

And, like I said, you'll need to mimic the functions, not relay them if you are to have any control over what the visitor does to your site with this potentionally dangerously leaky app.

[yonta]

Thanks for the replies.

But i've basically given up, it's too dangerous to expose my server (not mine - the webhosts) to this. Served my (flash) learning purposes. Now i've protected access to it, and use it whenever i wanna do a quick test on a function.