2

Is there a way to allow user to edit a php code securely, for example this is a basic php code to echo Hello World! onto the page.

The idea is not to allow full coding changes just things like the array or they could edit a date in mktime things like that. I thought there maybe a way to echo form input fields into a php code which will then display the results.

How could i go about allowing a user to edit the code changing (Hello World!) to something else and then click submit to display there edit.

<?php
echo "Hello World!";
?>

or another example would be how can the user edit the words in the array

<?php
        $words = array("the ", "quick ", "brown ", "fox ",
        "jumped ", "over ", "the ", "lazy ", "dog ");
        shuffle($words);
        foreach ($words as $word) {
            echo $word;
        };

        unset($word);
      ?>

I presume that i would have to create a form which gets the php code and somehow get it to display the edited results?

<form name="form" method ="get" action="a.php">
    <input type="text" id="edit" name="edit" size="30" />      
    <input type="submit" value="Submit" >
</form>

For anyone that is viewing this and would like to know what you can create using a form and php see here Form that edits php script

tshepang
  • 12,111
  • 21
  • 91
  • 136
mally
  • 275
  • 2
  • 4
  • 18
  • use input method. for an example you can provide a text field where users can input words comma separated. You get the input value and separate the words using `explode()` function for an example etc. . . – Fallen Jul 29 '13 at 14:21
  • You might get a kick start from reading the http://php.net/manual/en/function.eval.php eval function, which takes a string and evaluates it as if it was php code. Be careful about security issues tho. – Alan Piralla Jul 29 '13 at 14:23
  • It really depends on why you are wanting them to be able to do this, is this for content management reasons? If so this is entirely the wrong approach. – George Aug 05 '13 at 16:09

6 Answers6

2

What you are trying to accomplish is what variables are for. Taking this example:

  echo "Hello World!";

You could change that to 

  echo $_POST["data"];

and in your html

  <form type='post'>
       <input type='text' name='data'/>
       <input type='submit'/>
  </form>

See it in action

Eval should be avoided at all costs, there is a very narrow set of problems where using eval is a sane solution.

Orangepill
  • 24,500
  • 3
  • 42
  • 63
  • If you could use this method to allow the user to change for example the 2 or 29: $day = date("d", mktime(0, 0, 0, 2, 29, date("Y")+$i)); – mally Aug 05 '13 at 14:47
  • @mally Yes you could do `mktime(0,0,0,2,29,date("Y")+intval($_POST["years"])); – Orangepill Aug 05 '13 at 15:05
  • I think This may work for what i need but the code needs some attention, thanks http://phpfiddle.org/main/code/39y-qkz – mally Aug 05 '13 at 19:43
2

You want people to run arbitrary PHP code, but not all arbitrary PHP code. Tough thing to get right.

First off do not just eval() form data. Only bad* can come of this.

<form method="POST">
    <textarea name="php"></textarea>
    <button type="submit">Run</button>
</form>
<pre>
    <?= eval($_POST['php']) ?>
</pre>

One option that comes to mind is to use https://github.com/nikic/PHP-Parser.

Basically, the parser does nothing more than turn some PHP code into an abstract syntax tree. ("nothing more" is kind of sarcastic here as PHP has a ... uhm, let's just say "not nice" ... grammar, which makes parsing PHP very hard.)

You can then walk the AST and remove suspect expressions, reconstitute the tree to code, and then call eval() on it.

Outside of that, configuring a sandbox environment would be critical here, as nothing is foolproof. That way, when someone inevitably bricks the box, you can recover it.

php.ini configuration changes can make for a "safer" environment to execute arbitrary code by imposing restrictions. disable_functions and disable_classes can help limit the possible abuse. Setting a low memory_limit will prevent help reduce excessive resource slurping.

* Unless this is a social experiment to see how long it takes for someone to turn your machine into pudding

Dan Lugg
  • 20,192
  • 19
  • 110
  • 174
1

in THEORY you can do something like this, but PLEASE PLEASE PLEASE don't do it because it is extremely UNSECURE

<?php
if (isset($_REQUEST['do_eval'])){
    eval($_REQUEST['to_eval']);
}
?>

<form action="eval.php">
    <textarea name="to_eval" rows="20" cols="80"><?php if (isset($_REQUEST['eval']))     print($_REQUEST['eval']); ?></textarea>
    <br />

    <input type="submit" name="do_eval" value="Submit" />
</form>
STT LCU
  • 4,348
  • 4
  • 29
  • 47
lePunk
  • 523
  • 3
  • 10
0

if I get you right, then eval function is what you need (http://php.net/manual/en/function.eval.php)

Evaluates the given code as PHP.

Although it is very dangerous as a user can execute a destructive code or output some private data.

<?
if(isset($_POST['submit'])
{
    eval($_POST['code']);
}
else
{

?>
<form method="POST">
    <textarea name="code"></textarea>
    <input type="submit" value="Submit"></form>
</form>
<?
}
Vladimir Hraban
  • 3,543
  • 4
  • 26
  • 46
0

This sounds extremely dangerous to me; since PHP code runs on the server, you are basically letting anyone and everyone tell your server what code to run, and telling it to run harmful code would be very easy. Unfortunately, I can't think of a trivial way to sanitize this type of input.

Having said that... you can have a form that submits the user's code to a page that can write that code into a .php file on your server, then redirects to the newly created .php file. But, again, I would not advise you to do this sort of thing.

Community
  • 1
  • 1
Tal
  • 181
  • 8
  • Thanks for your input, the idea is not to allow full coding changes just things like the array or they could edit the date in mktime things like that. I thought there maybe a way to echo the input fields into a php code which will then display the results. – mally Jul 29 '13 at 14:48
0

I think I understand what you're trying to accomplish. The actual task I believe will require a large amount of javascript in association with your PHP.

So, let's run it down theoretically.

Let's say this is your start code:

$array = array('one', 'two', 'three');
var_dump($array);

Ok - so now you want to define that the user can modify the array. Your HTML now looks something like that code above - all escaped of course.

However, you put form element around the escaped content, and put each array element as an input field.

So, you'll end up with something like this: (Note this is HTML not PHP)

<form action="self.php">
    <div>$array = array(</div>
    <span>'<input name="arrayValue[]">, <a href="#" class="addAnother">+</a></span>
    <div>);<br>var_dump($array);</div>
    <input type="submit" value="Process this code">
</form>

Now, you'll need to write some javascript that watches for the class 'addAnother' to be clicked. If so, it goes up to its parent element and clones it (see - that's the span) and adds it after the parent. This way you'll have another whole line that is that span - with another input.

If you style the inputs to look nice, you can make it look like the user is typing inline.

Once the submit is pressed, the values are sent to the PHP. Then, the PHP will create a new array from all of $_POST['arrayValue'];

Your actual code will do this:

$array = $_POST['arrayValue'];
var_dump($array);

And then, you'll rerender the HTML again.

I know this is all 'theory' - there's a bit more code to actually be written.

I honestly would re-think if you really want to take on this task - this is a LOT of work to do it in an interactive, secure way. Perhaps there are other ways to accomplish your core task. Best of luck!

Aaron Saray
  • 1,178
  • 6
  • 19