PHP Examples

[The Little Guy]

I own http://phpsnips.com, and we are in the process of rebuilding it, and we want to add a new feature that will allow members to see a demonstration of some of the snippets we have, so they can see the result of the php in action before the use it and then find out it didn't do what they were expecting.

 

Do you have any suggestions for us on what we should do to keep it secure?

 

Some of the big things I was thinking of were:

A. No database examples

B. No examples with eval

C. Don't allow examples of all code

[QuickOldCar]

I guess it's time to make some snippets on securing forms and user input, then integrate those snippets into your demo's.

[Jessica]

I guess it's time to make some snippets on securing forms and user input, then integrate those snippets into your demo's.

:thumb-up:

[kicken]

There's not really a good way to do it.  You'd have to setup a chroot'ed sandbox environment and run the samples through there.  That environment could have it's own php.ini that disables specific functions if you wanted.

 

 

[scootstah]

You don't have to necessarily remove database examples - just don't actually communicate with a database. You can use session's to replicate the behavior but only for the specific user using it. This way no user can effect the outcome for another user, and no spam and junk.

 

Another option is to just truncate the tables every so often with a cron job.

 

For file uploads you can just not actually do anything with the file, just leave it in the tmp folder or manually remove it. If it's something that requires the full upload process you can just run a cron job to delete files every so often. Obviously you'd want to disable any script execution for that directory, as well as only allow file types specific to that demo.

 

From glancing at your site, a lot of the snippets should be pretty easy to have demo's for. For a lot of it you can just use equivalent Javascript.