PHP execute some code in individual environment

Question

It is a little difficult to explain what I am after... Here is a simple script:

<?PHP

$someData = ["foo" => "bar"];

function someFunction($someArg) {
     include("someFile.php");
}

?>

and here is code of "someFile.php":

<?PHP
   echo "I'm some file!";
   global $someData; // point 1
   var_dump($someData);
   include("someOtherFile.php"); // point 2
?>

I want to if its possible to NOT let "someFile.php" access any variable except what is provided to it as args of "someFunction", (point 1) and not let it include any other files (point 2) ? while this all is happening in "someFunction()" ... how can I achieve this and/or make my way around this?

That is where the object php is coming to you as the solution. Try to ommit globals, to forget about the variable access problem, and use private functions to narrow the function (method) access. Dont understand the downvote to. +1. — Jacek Kowalewski, Feb 03 '15 at 06:21
Posted :). If you have any further questions, you can comment my answer, and I will try to help. — Jacek Kowalewski, Feb 03 '15 at 06:41

score 0 · Answer 1 · answered Feb 03 '15 at 06:26

No, you cannot prevent from reading other variables from included file.

To prevent reading any state of your application you could replace include by exec. For example: exec('php someFile.php argument') and retrieve argument within someFile.php by using $argv variable or getOpt

score 0 · Answer 2 · answered Feb 03 '15 at 06:28

Unfortunately there is not any way (That I am aware of) to limit access to the current instance. It sort of goes outside the purpose and design of PHP. I provided a suggestion below however I recommend you read my comment on the end too.

What I can recommend is you execute the PHP file separately and use a custom php.ini file to disable functions like include via the disable_function property. You can create a temporary php file with the Global data you need it to access at the top like:

<?php
$someData = ["foo" => "bar"];


   echo "I'm some file!";
   global $someData; // point 1
   var_dump($someData);
   include("someOtherFile.php"); // point 2
?>

You would then call it like such: exec("php -f /temporary_folder/tempfile.php --php-ini /temporary_folder/php.ini");

I recommend if security is critical and you intend to have it facing the public(hosting it yourself or release it) that you have it audited or reviewed by a security professional. Locking down execution of PHP code is not an easy task and there are many ways someone can execute arbitrary code or do things yu don't want. You can lock down eval but did you know you can also evaluate code via the preg_replace function? You would't think a regular expression function could be exploited.

As I know you cannot disable language constructs with disable_function. — sectus, Feb 03 '15 at 06:36
Ah, I've never tried honestly. I just review php code all day and clean malware. — masshuu, Feb 03 '15 at 06:42

score 0 · Answer 3 · edited May 23 '17 at 12:06

0

Look like what you want is to "sandbox" the included script. I don't know the answer but there are similar answered questions you can check out, such as this

PS: this should be a comment but sorry, I still do not have comment privilege yet.

edited May 23 '17 at 12:06

Community

1
1

answered Feb 03 '15 at 06:35

qtuan

687
4
10

Jacek Kowalewski · Answer 4 · 2015-02-03T06:46:54.880

There is no way of achieiving this with include.

You must think about include as of CTRL + C and CTRL + V. So as far as Your original code has access to global variable, Your include file also has. It works like pasting new page into a used notebook. It is just an aesthetic operation. Solution? OOP...

You should try to not use global variables, and switch to object oriented programming. If there are no global variables, and everything is stored in the object, the object decide if someone has access to this variable. A short example:

<?php
    // "Closed environment"
    class NoAccess () {
        private $notaccessible;
        public __construct ($notaccessibleparam) {
            $this->notaccessible = $notaccessibleparam;
        }
        public method yourfunction() {
            print_r($this->notaccessible); // have access
        }
    }

    $instance = new NoAccess(10);
    // Further Code dont even know there is a variable called $notaccessible.
    // ...
    // ...
    // But, You can always call:
    $instance->yourfunction(); // which have access, and know it.
?>

In that case eveyrhing that You include (in the three dots comments), or write there, cannot use the $notaccessible variable. The only way to use it is using You own interface, such as yourfunction().

This maybe something really new to you, but you should try to read about oop (object oriented programming) in php, while I see your code is quite complicated, and you should switch to oop as fast as you can.

LINKS:

http://php.net/manual/en/language.oop5.php - oop on php.net

http://php.net/manual/en/language.oop5.visibility.php - visibility of variables inside class on php.net

PS. Try to use small letters in <?php. This is a good habit.

PHP execute some code in individual environment

4 Answers4