Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Elijah Horton:
Sandboxing Untrusted Code With PHPSandbox
Apr 29, 2013 @ 16:56:37

Elijah Horton has a recent post to his site sharing a tool he's developed to sandbox and validate PHP code of user-contributed code.

Few quotes related to the PHP language are as pithy and resoundingly accurate as the phrase: "Eval is evil." The reasons are myriad: the eval() function basically gives whatever code is passed to it unlimited control of the parser, and this freedom makes eval() both a temptation for developers, who may need to dynamically control PHP at runtime, and a panacea for hackers who are ever-searching for more servers to add to their botnets. So, how does one make use of the extreme power available through runtime evaulation of PHP, without exposing one's server to near-certain rooting? Through a sandbox.

His tool - PHPSandbox, uses the PHP-Parser library to deconstruct the PHP code its given and look for issues. He gives an example of a call to mail and how it would catch the issue. He shows how to install it via Composer, how to configure it with whitelisted methods/functions. It also includes a way to overwrite function calls with a bit safer alternative.

tagged: sandbox protection contributed code validation function

Link: http://www.fieryprophet.com/blog/detail/sandboxing-untrusted-code-with-phpsandbox

Brandon Savage's Blog:
Be Wary of User Contributed Notes
Nov 23, 2009 @ 15:19:46

Brandon Savage has a reminder for both those familiar with PHP and a warning for those new to the language - take the examples in the comments of the PHP.net with a grain of salt.

This morning, I was reviewing the weekly list of topics with the most comments throughout the PHP manual, and I stumbled upon the following code in the documentation for the date() function. This code is designed to tell you the day of the week for any valid date you give it. [...] I’m sure that this user put a lot of work and effort into this function. I’m sure they were excited to share it with the PHP community. I’m sure they thought they had stumbled on a solution to a problem that everyone needed to solve. I’m sure they had no idea that this code is a great example of using PHP precisely the wrong way.

His example, one that uses around 30 lines of code to do something that date could accomplish in one, is a perfect example of why blindly following the advice of others without thinking things through can be disastrous for your code. Do a bit of research before you cut and paste and remember that with someone else's code could come someone else's problems - think before you implement.

tagged: contributed notes advice opinion

Link:


Trending Topics: