开发者

Making Only Specific Functions and Variables Available in PHP

开发者 https://www.devze.com 2023-01-24 09:37 出处:网络
I want to make a programming environment. I will explain it with an example. One programmer will write that code;

I want to make a programming environment. I will explain it with an example.

One programmer will write that code;

<html>
 <head>
  <?php definedMetaTags(); ?>
 </head>
</body>

Programmer will save this file and then upload to my system. That file will be executed at server side and then they system will turn generated c开发者_如何学JAVAode back.

That definedMetaTags() function will be already written in the system.

An example of Compiler.php:

<?php
 require_once("definitionsForProgrammer.php");
 include("uploadedfile.php");
?>

My question is that I want to allow that uploadedfile.php only what functions I want. Else, maybe that programmer writes some codes what I want him/her to do. (Deleting files, mysql connection, etc.)

Is there any way to allow a code only specific functions, variables, constans?


If the goal is to allow a user to insert placeholders that will be replaced by some PHP function execution, then there's no need to treat the uploaded file as PHP code:

<html>
 <head>
  {[definedMetaTags]}
 </head>
</body>

Then Compiler.php would look like this:

<?php
 require_once("definitionsForProgrammer.php");

 $macros = array();
 $macros['definedMetaTags'] = definedMetaTags();

 $output = file_get_contents("uploadedfile.php");
 foreach($macros as $macro=>$value) $output = str_replace("{[$macro]}", $value, $output);

 echo $output;
?>

The definedMetaTags() function would need to be reworked so that it returns the tags as a string instead of printing them directly to output.

This method would allow you to define any number of macros without exposing yourself to all the security risks the others here have mentioned.


If you're aiming for security and you want to let them to write functions, then the short answer is: no.

Essentially you're asking for a PHP sandbox which will let you constrain what code can be executed. PHP would have to support this at a fundamental level for it to work. For example, supposing you took the approach of saying "I only allow the user to write a function named 'foo'". Inside that function, though the user can do all kinds of bad things like making system calls, downloading other code and executing it, etc. In order to prevent this you'd need to implement checks at a much lower level in the system.

If you're willing to restrict the scope only to variable definitions then yes you can do it. You can use token_get_all() and token_name() to examine the file to make sure that it doesn't have any code that you don't want in it. For example:

foreach (token_get_all(file_get_contents("uploadedfile.php")) as $token) {
  if (is_array($token)) {
    echo token_name($token[0]), " ";
  } else {
    echo $token;
  }
}

If you don't like any tokens you see, don't include the file. You could theoretically guard against bad functions this way as well, but it'll require a fair amount of effort to properly parse the file and make sure that they're not doing something bad.

references:

  • http://www.php.net/manual/en/function.token-get-all.php
  • http://www.php.net/manual/en/function.token-name.php
  • http://www.php.net/manual/en/tokens.php


Well, if i'm understanding your question correctly. If you include("uploadedfile.php"); you will acquire everything in it.

What you could do is break your code up into related sections (whether it be via classes or just function definitions in a file) then only include the file/class that you want.

(let me know if that's not what your asking)

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号