Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I want to limit what PHP functionality my users have access to.
For instance there is an object $data and the user likes to use if for and echo.
Obviously allowing him to write PHP would be a serious vulnerability.
Is there any way to run this PHP in a sandbox or would you recommend any lightweight PHP template engine?
If you don’t have your own server you probably don’t have runkit. But what you do have (probably) is Tokenizer! Using the Tokenizer you may look through the given source code and abort if you find an invalid token. Here an example how to validate an array using this. You could do same for your purpose. The PHP documentation has a list of tokens. If you need help deciding which tokens to allow or to disallow, please say so.
€dit: And obviously I do recommend to use Twig, too. It is so nice – and has sandboxing!