Re: how to safely eval user-generated code

emmettnicholas@xxxxxxxxx schreef:
Hi,

I realize that eval() is generally discouraged, but I've found myself
wishing that I could execute user-generated code.

One idea I've seen is to use token_get_all(), and then make sure no
T_STRING tokens match known "dangerous" function names.

Where could I find such a list of "dangerous" functions? What are the
pitfalls of this approach? Is there any way to safely allow user-
controlled scripting, or is it just a bad idea in general? Thanks.

-Emmett

Hi Emmett,

I think such an approach will never be 100% safe.
For starters, what do YOU consider a dangerous function? And me?
And the next version of PHP? Will it hold functionnames that will be 'dangerous' that are not in the current set?

When I was once in the situation I had to eval code provided by a user (user was providing a function I needed to eval on some results from a database), I approached it the other way round: I defined a few strings that WERE allowed.
I am not sure if that help you because it is very restricting, and might not at all apply to your situation.
In my situation I needed a function, so:
Y=eval('userinput')
and userinput could only contain:
numbers, (), */+-,sin(), cos(), and columnames for some table.
I wrote a function that stripped everything that did not follow these demands, and if original didn't match result, the function was rejected.

Hope that helps.
If you explain what you try to accomplish, maybe we can give you another solution.

Regards,
Erwin Moller
.