News Feed
Jobs Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Elijah Horton:
Sandboxing Untrusted Code With PHPSandbox
April 29, 2013 @ 11:56:37

Elijah Horton has a recent post to his site sharing a tool he's developed to sandbox and validate PHP code of user-contributed code.

Few quotes related to the PHP language are as pithy and resoundingly accurate as the phrase: "Eval is evil." The reasons are myriad: the eval() function basically gives whatever code is passed to it unlimited control of the parser, and this freedom makes eval() both a temptation for developers, who may need to dynamically control PHP at runtime, and a panacea for hackers who are ever-searching for more servers to add to their botnets. So, how does one make use of the extreme power available through runtime evaulation of PHP, without exposing one's server to near-certain rooting? Through a sandbox.

His tool - PHPSandbox, uses the PHP-Parser library to deconstruct the PHP code its given and look for issues. He gives an example of a call to mail and how it would catch the issue. He shows how to install it via Composer, how to configure it with whitelisted methods/functions. It also includes a way to overwrite function calls with a bit safer alternative.

0 comments voice your opinion now!
sandbox protection contributed code validation function

Link: http://www.fieryprophet.com/blog/detail/sandboxing-untrusted-code-with-phpsandbox

blog comments powered by Disqus

Similar Posts

The Bakery: New Articles/Tutorials - NiceHead, Field Validation and Plugin Paths

PHPMaster.com: Form Validation with PHP

DevShed: Building a Data Validation System with the Prototype Pattern with PHP 5

Seth May's Blog: The 5 Ws of Data Validation - Part 1

DevShed: Creating an Administration Area for a Simple Threaded Discussion Forum


Community Events











Don't see your event here?
Let us know!


symfony2 language release application example hack database hhvm project unittest facebook podcast introduction install framework performance package component composer security

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework