Level 80
@GoodBytes Good heavens, why are you even thinking of letting remote users send PHP code to be executed on your server?!
1 like
Jan 26, 2017
5
Level 3
Safely execute a string of PHP code?
Hi,
This question may not be directly related to Laravel, it's more of a general PHP question.
I am looking for the safest way to execute a string of PHP code.
I believe this can be done with the eval() function.
In context; A user submits a form field which contains a block of PHP code, for example, an array:
array('a' => 1, 'b' => 2);
This would be submit as a string
$_POST['code'] = "array('a' => 1, 'b' => 2);";
If I wanted to convert this to json I could do something like.
$returnValue = '';
eval("\$returnValue = json_encode($_POST['code']);");
return $returnValue;
This should output {"a":1,"b":2}
I believe there are great security risks with this? Is there a safer way to do it?
tl;dr: Code is sent via form, evaluated and the typical output is returned.
side note: This is going into a Laravel project so maybe laravel offers a more convenient way to do it. probably not
Thanks
Level 51
You can read about security issues in documentation of function eval()
http://php.net/manual/en/function.eval.php
or you can use a template engine like twig
Level 3
It's more of an internal system for our team, but I still want to protect it from abuse.
Here is a basic example of what I am trying to achieve: https://www.functions-online.com/json_encode.html
I could input an array, and have JSON returned. It also shows the PHP code that was executed.
There are lots of PHP sandboxes or function testers online so I can only assume there is a safe way to do it :)
Level 47
Those testers have limits set. So they parse the input and if something is deemed beyond the limit it doesn't run. Basically sanitized code.
Very same logic behind any input restricting script tags, using commas for word separation for an array, low time out for long running processing that's not intended etc etc.
So you need to figure out what you want to allow and right rules and methods to verify input is with in the rules. If so exacute if not throw an exception.
Most wusiwyg doesn't sanitize the input, even if it claims to, you still need to filter the input. Imagine allowing script tags with a million alert pop ups allowed in a forum post.
Level 122
think if you can break it down into some form of pseudo code that they could submit instead, which you can then parse.
I recently wrote a small processing function that worked like unix piped functions and acted on csv column data.
for instance, in a text area, the user could enter a bunch of rules, each like
"Start": "C | spaceConcat!D | dateWithFormat !d/m/Y G:i"
which takes column C then joins it to column D then passes this along to a function that converts it to a datetime object
I have about 20 functions that are each only 3 -5 lines , take an input value and output a value to be passed to the next function.
I can easily extend the list of functions because they are just methods in my class. I explode the string on the pipe character and then call each function in turn assuming i have such a method in my class.
The user has a bunch of functions to choose from and cannot perform things that are not allowed.
Please or to participate in this conversation.