0

I'd like to set up a page on an AMP server where a user can submit a PHP file and then request it, with the following constraints:

  • the script needs to be authorized; not just any script can be uploaded
  • no info about the script should be stored on the server (at first I thought of storing a hash of the file, but can this be avoided, such as by putting the hash check at the beginning of the script itself and ensuring this part exists and is executed first?)
  • no MySQL or Apache authentication
  • assume safe mode, and the user itself is a script (cURL)

What's an efficient and secure way to implement this?

suissidle
  • 191
  • 5

1 Answers1

0

You can execute script as a string with eval function. 

$script = "
echo 'Hello ';
print 'world';
";
eval($script);

NOTE: But it's a very dangerous! This script can get full access to server and can remove files, dirs, find system password etc. So be very careful

Victor Bocharsky
  • 11,930
  • 13
  • 58
  • 91
  • Yes, but the authorization is missing. It's the essential part, because of the danger otherwise, as you noted. – suissidle Feb 04 '14 at 12:32
  • There is many solutions for autorization. You can check if user is authenticated, so he can upload PHP file, which you can read for example with `file_get_contents` function and then execute with `eval` – Victor Bocharsky Feb 04 '14 at 12:35
  • No, as I wrote in the question it has to be pure PHP, without any user authentication. – suissidle Feb 04 '14 at 12:37
  • For authorization you can read many posts, for example [php sessions to authenticate user on login form](http://stackoverflow.com/questions/1243150/php-sessions-to-authenticate-user-on-login-form) – Victor Bocharsky Feb 04 '14 at 12:38
  • Pure PHP authentication can realize with SESSION – Victor Bocharsky Feb 04 '14 at 12:39
  • Thanks for your input so far. SESSION might be a good starting point. However, it is the file contents rather than the user that need to be authenticated, possibly without storing any file info (e.g. to use the example in your link one would need to store 'username' and 'password'). – suissidle Feb 04 '14 at 12:48
  • You can store correct `username` and `password` directly in your PHP script. If you won't upload file, you can use form textarea, where you can enter PHP code and send them to server, which check if you autorize and execute your code. – Victor Bocharsky Feb 04 '14 at 13:03
  • No info at all (besides perhaps vague one that doesn't allow one to identify the content) should be stored on the server. – suissidle Feb 04 '14 at 14:04