6

I want to limit what PHP functionality my users have access to.

For instance there is an object $data and the user likes to use if for and echo.

Obviously allowing him to write PHP would be a serious vulnerability.

Is there any way to run this PHP in a sandbox or would you recommend any lightweight PHP template engine?

Improve this question
1

6 Answers 6

Reset to default
8
+25

If you don't have your own server you probably don't have runkit. But what you do have (probably) is Tokenizer! Using the Tokenizer you may look through the given source code and abort if you find an invalid token. Here an example how to validate an array using this. You could do same for your purpose. The PHP documentation has a list of tokens. If you need help deciding which tokens to allow or to disallow, please say so.

€dit: And obviously I do recommend to use Twig, too. It is so nice - and has sandboxing!

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Twig has sandboxed template code. This is not as good as runkit-sandbox but I don't have to reinstall the php server. Thank you very much!
4

The only one I know so far is runkit.

The runkit extension provides means to modify constants, user-defined functions, and user-defined classes. It also provides for custom superglobal variables and embeddable sub-interpreters via sandboxing.

Update:

I could find these two links regarding zend and runkit you should take a look at:

http://framework.zend.com/wiki/display/ZFPROP/Zend_Http_Server+-+Mat+Scales
http://www.dunfy.me.uk/?p=38

Improve this answer

3 Comments

Runkit requires Thread Safety to be enabled and Zend requires Thread Safety to be disabled.. Is there a way to use Zend and Runkit?
The Runkit_Sandbox class is only available as of PHP 5.1.0 or specially patched versions of PHP 5.0, and requires that thread safety be enabled In my phpinfo() runkit is enabled however runkit_sandbox is disabled probably because of the the thread safety
@Ghommey: That's what we have so far :(
4

Along the lines of smarty, give twig a try!

There is also a very robust extension system which allows you to allow/disallow built-in or custom tags, token parsers, nodes, etc in the template language itself. This way, users can have basic logic (conditional statements, "functions" (blocks) and iterators) without resorting to the evils of eval.

Improve this answer

1 Comment

Twig blows smarty out of the water and it's still in active development.
2

Tried Smarty? http://www.smarty.net/

Improve this answer

1 Comment

@Ghommey: If you really only want customizeable output, then this is your choice. A template engine is a lot easier to maintain than a php-sandbox.
1

The PECL runkit extension does provide sandboxing, but it's possibly a bit overkill for what you want to do

Improve this answer

Comments

1

PHP Fat-Free Framework has a template engine that prohibits the use of PHP code and allows you to define which functions can be used inside HTML templates.

There's also a real sandboxing feature that makes functions and include files independent of others, i.e. variables/functions in one include file are not known to others, so you can have a function with an identical name as another include file. This may be of some use for (dysfunctional) developer teams.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.