how to safely eval user-generated code
- From: emmettnicholas@xxxxxxxxx
- Date: Sun, 30 Mar 2008 20:19:53 -0700 (PDT)
Hi,
I realize that eval() is generally discouraged, but I've found myself
wishing that I could execute user-generated code.
One idea I've seen is to use token_get_all(), and then make sure no
T_STRING tokens match known "dangerous" function names.
Where could I find such a list of "dangerous" functions? What are the
pitfalls of this approach? Is there any way to safely allow user-
controlled scripting, or is it just a bad idea in general? Thanks.
-Emmett
.
- Follow-Ups:
- Re: how to safely eval user-generated code
- From: Erwin Moller
- Re: how to safely eval user-generated code
- Prev by Date: Re: Fatal error: Class 'Mail' not found
- Next by Date: Re: Need help with PHP + MySQL on W2k
- Previous by thread: Re: Fatal error: Class 'Mail' not found
- Next by thread: Re: how to safely eval user-generated code
- Index(es):
