How to Execute PHP Code in a Sandbox from Within PHP

Is there a way to execute php code in a sandbox from within php

There is runkit, but you may find it simpler to just call the script over the command line (Use shell_exec), if you don't need any interaction between the master and child processes.

Execute PHP code with restrictions

What you want to do is pretty much impossible. It is really hard to protect yourself against attacks if you allow people to execute code on your machine.

Here is the try I had on it: Sandbox. Source code.

What it does is basically maintain a large list of blacklisted functions for filesystem access, shell access, a.s.o (I allowed some functions for reading the filesystem like show_source that should not be allowed if you want to use it for something real.)

It also tries to protect from more hidden attacks like $func = 'unlink'; $func(__FILE__); by turning it into $func = 'unlink'; ${'___xyz'.!$___xyz=Sandbox::checkVarFunction($func)}(__FILE__) a.s.o.

PS: Still you probably don't want to allow people to run PHP code on your site. The risk is just by far too big. Instead I would allow people to use a templateing language inside the editor. A good candidate would be Twig, because it has a built in sandbox which allows you to restrict usage to certain tags, functions, ...

Is it possible to run PHP code in isolation?

The Sandbox in the Runkit PECL extension (not embedded with PHP) seems to be able to do this. http://docs.php.net/runkit

$sandbox = new Runkit_Sandbox($options);
$sandbox->ini_set(…);
$sandbox->eval($code);

https://github.com/zenovich/runkit
https://github.com/runkit7/runkit7

How to safely execute user-submitted PHP code

I always wondered how good it would be to have a Cloud IDE where i could host all my PHP files, test it, share it etc. basically it should be able to do everything which i do in my Computer. and until recently i stumbled upon a very nice Cloud IDE called Kodingen. it is such a useful Cloud Application and so handy at times. however below is the list of some of the services which offers you to run PHP code.

  • http://kodingen.com/
  • http://www.codr.cc/
  • http://www.chopapp.com/
  • http://www.amyeditor.com/
  • https://codeanywhere.net/
  • http://www.coderun.com/
  • http://shiftedit.net/

Sandboxing Users' PHP Code

If you don't have your own server you probably don't have runkit. But what you do have (probably) is Tokenizer! Using the Tokenizer you may look through the given source code and abort if you find an invalid token. Here an example how to validate an array using this. You could do same for your purpose. The PHP documentation has a list of tokens. If you need help deciding which tokens to allow or to disallow, please say so.

€dit: And obviously I do recommend to use Twig, too. It is so nice - and has sandboxing!


Related Topics

Differencebetween Get_Result() and Store_Result() in PHP

Php: Number Only Hash

PHP & SQL Injection - Utf8 Poc

Pretty Urls Without Mod_Rewrite, Without .Htaccess

How to Return Custom Error Message from Controller Method Validation

Installing Imagemagick Extension with PHP/Windows

How to Escape String from PHP for JavaScript

What Is Difference of Developing a Website in MVC and 3-Tier or N-Tier Architecture

How to Use PHP In_Array with Associative Array

Mp4 Plays When Accessed Directly, But Not When Read Through PHP, on iOS

How to Convert Multiple <Br/> Tag to a Single <Br/> Tag in PHP

How to Upload Multiple Image in Laravel

HTML Form PHP Post to Self to Validate or Submit to New Page

Aescrypt Decryption Between iOS and PHP

Regexp in Switch Statement

PHP Extract Link from <A> Tag

Search and Replace Value in PHP Array

Internationalization in PHP


Leave a reply



Submit