The Little Guy Posted April 25, 2012 Share Posted April 25, 2012 I own http://phpsnips.com, and we are in the process of rebuilding it, and we want to add a new feature that will allow members to see a demonstration of some of the snippets we have, so they can see the result of the php in action before the use it and then find out it didn't do what they were expecting. Do you have any suggestions for us on what we should do to keep it secure? Some of the big things I was thinking of were: A. No database examples B. No examples with eval C. Don't allow examples of all code Quote Link to comment https://forums.phpfreaks.com/topic/261563-php-examples/ Share on other sites More sharing options...
QuickOldCar Posted April 25, 2012 Share Posted April 25, 2012 I guess it's time to make some snippets on securing forms and user input, then integrate those snippets into your demo's. Quote Link to comment https://forums.phpfreaks.com/topic/261563-php-examples/#findComment-1340330 Share on other sites More sharing options...
Jessica Posted April 25, 2012 Share Posted April 25, 2012 I guess it's time to make some snippets on securing forms and user input, then integrate those snippets into your demo's. :thumb-up: Quote Link to comment https://forums.phpfreaks.com/topic/261563-php-examples/#findComment-1340414 Share on other sites More sharing options...
kicken Posted April 25, 2012 Share Posted April 25, 2012 There's not really a good way to do it. You'd have to setup a chroot'ed sandbox environment and run the samples through there. That environment could have it's own php.ini that disables specific functions if you wanted. Quote Link to comment https://forums.phpfreaks.com/topic/261563-php-examples/#findComment-1340543 Share on other sites More sharing options...
scootstah Posted April 26, 2012 Share Posted April 26, 2012 You don't have to necessarily remove database examples - just don't actually communicate with a database. You can use session's to replicate the behavior but only for the specific user using it. This way no user can effect the outcome for another user, and no spam and junk. Another option is to just truncate the tables every so often with a cron job. For file uploads you can just not actually do anything with the file, just leave it in the tmp folder or manually remove it. If it's something that requires the full upload process you can just run a cron job to delete files every so often. Obviously you'd want to disable any script execution for that directory, as well as only allow file types specific to that demo. From glancing at your site, a lot of the snippets should be pretty easy to have demo's for. For a lot of it you can just use equivalent Javascript. Quote Link to comment https://forums.phpfreaks.com/topic/261563-php-examples/#findComment-1340554 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.