Jump to content

Stripping dangerous code from eval? probably not possible..


yonta

Recommended Posts

Hi:)

i would like to build something like this : <a href="http://tryruby.hobix.com">try ruby in your browser</a> but using php (the language to learn) and flash (the interface). Basically a try php in your browser. The idea is to learn a bit more flash and php. It's all almost done but the problem is how do i stop the user from  writing code that exposes for example my site's password, or deleting all files, etc..

I would like to allow only stuff like echo, print, array but not stuff like fopen, fwrite, unlink and a whole bunch of other functions or global variables. I would still like that users could make up their own variables names, instead of strictly following a tutorial i would write - this would allow me to predict everything that could be written and so i could validate the code string first before using eval on it, but this is not how the the try ruby works. You can input any word as a variable.

I'm thinking that this is not actually possible but maybe someone knows of a solution?

Thanks for any help
Link to comment
Share on other sites

Create an array with all of the functions names you dont want people to use, then loop thru it and check if the vlaues are in that string.
Example:
[code]<?php
$input=$_POST['input']; //$input is the code the user wants to execute

$forbidden=array("unlink", "header", "session", "mysql"); //Write all the words you want to check, you can also write things like "mysql" to prevent all  mysql functions.

foreach($forbidden as $word){
if(strstr($input, $word)){die("Error- you used one of the forbidded functions");}
}

//rest of code
?>[/code]


But I think the whole idea of letting the user do whatever they want sounds unsecure. I mean, the user can make lots of long loops and such, and make your server slow. It's hard to control.

Orio.
Link to comment
Share on other sites

You don't need regex (although I agree it can be useful). Just use an array of [b]functions to allow [/b] and treat all others as strings. Be careful what functions to allow. Distrust any user input (as always).

You can't possibly check for al functions you want to exclude, because:
1) There are a lot.
2) Users won't directly be using the php function, but a function or method you will have to write that produces a specific result in the visitors' browser.

You have to be pretty sure about this, it sounds like a lot of work.
Link to comment
Share on other sites

[quote author=ShogunWarrior link=topic=101568.msg402190#msg402190 date=1153691381]
If you can modify your PHP INI with [b]ini_set[/b] then you can set safe mode on ([b]safe_mode[/b]), set a list of disabled functions with ([b]disable_functions[/b]) and ([b]disable_classes[/b]).
[/quote]

Unfortunatelly, that will also disbable the functions and build-in classes for all scripts. I can imagine you probably need many functions in your scripts that you don't want visitors to use.

And, like I said, you'll need to mimic the functions, not relay them if you are to have any control over what the visitor does to your site with this potentionally dangerously leaky app.
Link to comment
Share on other sites

Thanks for the replies.

But i've basically given up, it's too dangerous to expose my server (not mine - the webhosts) to this. Served my (flash) learning purposes. Now i've protected access to it, and use it whenever i wanna do a quick test on a function.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.