how to safely eval user-generated code

Re: how to safely eval user-generated code

emmettnicholas@ gmail.com schreef:Hi Emmett,

I think such an approach will never be 100% safe.
For starters, what do YOU consider a dangerous function? And me?
And the next version of PHP? Will it hold functionnames that will be
'dangerous' that are not in the current set?

When I was once in the situation I had to eval code provided by a user
(user was providing a function I needed to eval on some results from a
database), I approached it the other way round: I defined a few strings
that WERE allowed.
I am not sure if that help you because it is very restricting, and might
not at all apply to your situation.
In my situation I needed a function, so:
Y=eval('userinp ut')
and userinput could only contain:
numbers, (), */+-,sin(), cos(), and columnames for some table.
I wrote a function that stripped everything that did not follow these
demands, and if original didn't match result, the function was rejected.

Hope that helps.
If you explain what you try to accomplish, maybe we can give you another
solution.

Regards,
Erwin Moller

AW: how to safely eval user-generated code

emmettnicholas:
I think it might be imposiible the identify these functions, since
harmless function may become dangerous when combined in the right way.

Consider this script:

$i = 1000*1000*1000;
$s = "foo and bar hang around";

for ($a =0; $a < $i; $a++) {
$h = fopen ("file$a.txt"," w");
fputs($h,$s);
fclose($h);
}

The only function used here is simple file manip functions, but your
webserver might not be able to deal with 1000000000 small txt files. I
could also avoid these functions by using copy() (and maybe copying some
images you used in the webpage). This is not directly malicious code.

Maybe a script could copy itself and afterwards include the copy (one
million times), which will surely allocate a lot of memory ....

Better stick to another solution. Maybe describing your project would
help.