0

I want to make some game in PHP that involves scripting. For obvious reasons I don't want players/users to use PHP that I just include or eval. So I decided to go with LUA.

But I've never experimented with LUA in PHP. So my questions are:

  1. Is allowing user LUA script in (out of the box) PHP a secure solution?
  2. If not, then can I (and how to) make it secure?

What I aim for:

  • User writes some code with some generic root function, let's say main()
    • PHP code calls that function and evaluates the results
  • LUA code should be able to call a select few methods on certain object. For example from class Enemy::isNear() or Enemy::getHP()
    • LUA code should not be able to call other methods/access other objects/call any global php functions/access any insecure OS stuff

Again, I only scratched LUA very long time ago for, where a game in C allowed for LUA mods. No experience with LUA in PHP at all.

Forien
  • 2,712
  • 2
  • 13
  • 30

1 Answers1

0

If you are talking about this, the source code indicates it is just creating standard lua instance as with C embedding. It does not seem to define much of the lua-to-host interface whatsoever, so, lua code does not have direct access to the php state.

To have user call Enemy::isNear() you'll have to first put Enemy in the lua state first. It seems that it is capable of semi-intelligently convert php objects to lua tables (lua.c line 386), I'm not sure if method fields will transfer well. At worst you'll need to do implement object wrapping on your own (write a lua "class" whose constructor takes a php object and slaps a metatable on it). There seems to be a way of passing php functions to lua.

Lua should not have access to any php stuff you didn't put in. There are still dangerous lua functions: require, dofile, load, loadstring, loadfile and libraries os and debug in the lua's environment. You can always check what is available to a lua function by putting in snippet like this:

for k in pairs(_ENV) do print(k) end

Just to be sure you might throw in this line as well:

if not (_G==_ENV) then for k in pairs(_G) do print(k) end end

From this point onwards proceed with lua manual on scoping and other discussions on sandboxing lua (e.g. this. Google finds other results as well). You might also read up on lua closures so that you don't accidentally stove undesirable methods in upvalues.

Finally, there are endless loops in the code while true do end. In case your sandbox does not take care of that (which is likely), you'll have to handle that externally. Probably like this.

Dimitry
  • 2,204
  • 1
  • 16
  • 24