0

While I have been reading through countless posts about using PHP as a template engine (using output buffering), I'm still trying to make a case for it.

As I'm wondering if I could use PHP as a template engine for a web app (users will be able to change the layout themselves) -- I still don't find any info regarding the following:

  • Store the templates in a MYSQL database
  • Eval them
  • BUT only include functions that are whitelisted (to give them only access to a limited set of functions -- while, foreach, etc ...)

Anybody looking for the same solution, but can chime in with a bit more information? That would be quite nice.

Taapo
  • 1
  • 1
    Wow that seems very risky to me... You would need some serious knowledge of PHP to be certain that there is no flow in you PHP whitelisting. – Matthieu Napoli May 19 '11 at 09:20
  • Here's a list of exploitable functions : http://stackoverflow.com/questions/3115559/ – JohnP May 19 '11 at 09:21
  • Oh, there you go your "serious knowledge of PHP" :p... But are you sure you can trust anyone to have the perfect list (I know I wouldn't). – Matthieu Napoli May 19 '11 at 09:24
  • https://github.com/nikic/PHP-Parser + http://stackoverflow.com/questions/5367533/execute-php-code-with-restrictions/5367562#5367562 might interest you. The latter is a naive sandbox using the tokenizer (it is NOT secure. I know several flaws in it). The former is a proper PHP parser. I will eventually port the sandbox to use the PHP parser and thus make it more reliable. – NikiC May 19 '11 at 09:33

3 Answers3

2

If you can't trust the user editing the template, you are better off using a separate templating language.

Note that many template languages like Smarty provide code execution functions as well. You may need to disable those in the engine's configuration.

Disabling all potentially dangerous functions in PHP is a very arduous task, and easy to screw up. See Exploitable PHP functions

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • Twig might be interesting as well, alternatively. Smarty seems less desirable these days. – Evert May 19 '11 at 10:39
1

PHP is not suitable as a template engine for your purpose. You should use a proper template engine with sandboxing support for that: Twig.

NikiC
  • 100,734
  • 37
  • 191
  • 225
0

That is probably a quite difficult (but interesting, if you are into the topic) task, because it involves building a small PHP parser, which can flawlessly identify any function call or method call (because if you miss one, you're screwed/hacked/...) and then check if all your matched function identifier tokens are in your whitelist, and otherwise deny eval-ing. For generating your Parser, you might want to check out the PHP_ParserGenerator, which unfortunately does not seem to be maintained anymore, or lemonPHP/JLexPHP, which may be more up to date, but you need to use Java to generate the Parser.

Because of all this is a quite tedious task, most people resort to using a custom (made-up) template language, which is similar to PHP, but not identical.

Popular PHP template engines are, among others:

More can be found here and here

fresskoma
  • 25,481
  • 10
  • 85
  • 128