1

Is it possible to include a php script (which given its current nature of the project, could screw it up) with only limited variables.

This is because I want to run a file as a data template, but I don't users to be able to get access to all the data. Especially on a shared service. I didn't want to use unset on every variable, because I'll need them again later.

I was hoping to be able to open a private region within the interpreter so I can run the script with only certain variables, to cut a long story short.

Thanks in advance.

topherg
  • 4,203
  • 4
  • 37
  • 72
  • Should also add that it needs to be immune to the effects of something link global – topherg Jul 06 '11 at 00:19
  • You are basically asking whether it's possible to run arbitrary user-supplied code in a secure fashion. The obvious response is: don't do that! Why do you want to do this? – Oliver Charlesworth Jul 06 '11 at 00:24
  • In the realm of PHP, your question does not make sense. You mean parent script A defines some variables, and you want `included` script B to "import" or "use" or "have visibility" to only one or two of those? – bob-the-destroyer Jul 06 '11 at 00:26
  • its part of a larger plan with loads of cunning. i was thinking of include, but i couldn't keep other variables hidden. – topherg Jul 06 '11 at 00:28
  • You may find this question helpful http://stackoverflow.com/questions/324726/is-there-a-way-to-execute-php-code-in-a-sandbox-from-within-php – Michael Mior Jul 06 '11 at 00:36

1 Answers1

2

You can create temporary file and execute it then with something like

exec("php -f /path/to/temporary/script.php");
zerkms
  • 249,484
  • 69
  • 436
  • 539
  • is there anyway of defining a few variables into that? – topherg Jul 06 '11 at 00:24
  • @Chris Goddard: put any code you want there (your vars definitions) and append with user's custom script – zerkms Jul 06 '11 at 00:25
  • 1
    This "works", but is still a **large** security hole unless you do some serious locking down of various things... – Oliver Charlesworth Jul 06 '11 at 00:28
  • @Oli Charlesworth: yep, but I hope OP understands that ;-) – zerkms Jul 06 '11 at 00:29
  • yeah, thats what I was aiming to make it more secure. ill probably look for a way to only allow certain functions in it. only allowed to look in certain file directories, ban certain variable calls and subroutines hmmm – topherg Jul 06 '11 at 00:31
  • @Chris: With respect, this is the sort of thing that unless you know exactly what you are doing, you will end up leaving gaping vulnerabilities. Have you considered just using a templating engine? – Oliver Charlesworth Jul 06 '11 at 00:41