Is there a way to execute php code in a sandbox from within php
There is runkit, but you may find it simpler to just call the script over the command line (Use shell_exec), if you don't need any interaction between the master and child processes.
Execute PHP code with restrictions
What you want to do is pretty much impossible. It is really hard to protect yourself against attacks if you allow people to execute code on your machine.
Here is the try I had on it: Sandbox. Source code.
What it does is basically maintain a large list of blacklisted functions for filesystem access, shell access, a.s.o (I allowed some functions for reading the filesystem like show_source
that should not be allowed if you want to use it for something real.)
It also tries to protect from more hidden attacks like $func = 'unlink'; $func(__FILE__);
by turning it into $func = 'unlink'; ${'___xyz'.!$___xyz=Sandbox::checkVarFunction($func)}(__FILE__)
a.s.o.
PS: Still you probably don't want to allow people to run PHP code on your site. The risk is just by far too big. Instead I would allow people to use a templateing language inside the editor. A good candidate would be Twig, because it has a built in sandbox which allows you to restrict usage to certain tags, functions, ...
Is it possible to run PHP code in isolation?
The Sandbox in the Runkit PECL extension (not embedded with PHP) seems to be able to do this. http://docs.php.net/runkit
$sandbox = new Runkit_Sandbox($options);
$sandbox->ini_set(…);
$sandbox->eval($code);
https://github.com/zenovich/runkit
https://github.com/runkit7/runkit7
How to safely execute user-submitted PHP code
I always wondered how good it would be to have a Cloud IDE where i could host all my PHP files, test it, share it etc. basically it should be able to do everything which i do in my Computer. and until recently i stumbled upon a very nice Cloud IDE called Kodingen. it is such a useful Cloud Application and so handy at times. however below is the list of some of the services which offers you to run PHP code.
- http://kodingen.com/
- http://www.codr.cc/
- http://www.chopapp.com/
- http://www.amyeditor.com/
- https://codeanywhere.net/
- http://www.coderun.com/
- http://shiftedit.net/
Sandboxing Users' PHP Code
If you don't have your own server you probably don't have runkit. But what you do have (probably) is Tokenizer! Using the Tokenizer you may look through the given source code and abort if you find an invalid token. Here an example how to validate an array using this. You could do same for your purpose. The PHP documentation has a list of tokens. If you need help deciding which tokens to allow or to disallow, please say so.
€dit: And obviously I do recommend to use Twig, too. It is so nice - and has sandboxing!
Related Topics
Differencebetween Get_Result() and Store_Result() in PHP
PHP & SQL Injection - Utf8 Poc
Pretty Urls Without Mod_Rewrite, Without .Htaccess
How to Return Custom Error Message from Controller Method Validation
Installing Imagemagick Extension with PHP/Windows
How to Escape String from PHP for JavaScript
What Is Difference of Developing a Website in MVC and 3-Tier or N-Tier Architecture
How to Use PHP In_Array with Associative Array
Mp4 Plays When Accessed Directly, But Not When Read Through PHP, on iOS
How to Convert Multiple <Br/> Tag to a Single <Br/> Tag in PHP
How to Upload Multiple Image in Laravel
HTML Form PHP Post to Self to Validate or Submit to New Page
Aescrypt Decryption Between iOS and PHP