3

I have a class like this:

class Person {
    function __construct($name) {
        $this->name = $name;
    }
    function show() {
        echo $this->name;
    }
}

On my PHP page, I'd like to have a textbox that lets me either type in a custom-language script or a PHP script (without security vulnerabilities somehow) like :

PHP Example:

    $me = new Person("Alexander");
    $me->show();

And see output on the page with the result of the show() function. Obviously I don't want people writing malicious code. How is this done? I don't have any experience with this type of programming.

Examples of problem domain:

Interactive "learn php" website. User can type php in and see result without having to set up their own web server.

"Program an attack script" game. User programs their fleet AI and watches the result of the battle against the computer AI.

Chris G.
  • 3,963
  • 2
  • 21
  • 40
  • I think this is better suited to programmers. This site is about concrete code and specific problems. – hakre Sep 29 '11 at 17:11
  • 1
    Why reinvent the wheel? There's codepad, fiddler, etc.. for this sort of thing. By all means try this if you just to want to learn something, but good luck getting your initial triangle/square attempts to look even passably round. – Marc B Sep 29 '11 at 17:14
  • Codepad and fiddler aren't going to help me add embedded scripting to my PHP program. – Chris G. Sep 29 '11 at 17:27
  • I also don't think this should be closed or go to programmers. There are tags for parsing and a tag for dsl. If I'm not supposed to ask questions about these tags, they shouldn't exist. Also I have provided concrete code and a specific problem. If I'm wrong, keep them close votes comin! – Chris G. Sep 29 '11 at 17:29
  • It's doable but it'll be hellishly difficult - especially to step around the security implications. Otherwise you could probably eval it which would be a really, really bad idea (and not future proof since I think it's being deprecated). You'd effectively be writing BlueJ (a Java teaching tool) inside PHP... – CD001 Sep 29 '11 at 18:08
  • 2
    Interactive PHP will be difficult to do safely, but your second example might be addressed by leveraging a "safer" scripting language in your application such as [LUA](http://phplua.3uu.de/). – Justin ᚅᚔᚈᚄᚒᚔ Sep 29 '11 at 18:41
  • Where could I learn more? Is it possible to whitelist eval() or something similar in order to only allow functions I specify? The user would not be able to call anything but `show()` in the example above. – Chris G. Sep 29 '11 at 19:50
  • 2
    Interesting question, I don't see why it should be closed. +1 – Matthieu Napoli Sep 29 '11 at 19:56
  • I'm looking at this and LUA might be a good solution for this. http://www.php.net/manual/en/lua.register.php – Chris G. Sep 29 '11 at 20:03
  • I can simply register Person::show() as a LUA function and LUA can get the value from PHP. – Chris G. Sep 29 '11 at 20:04

1 Answers1

1

The simplest option is to run a sandboxed virtual server. You can also try the PHP sandbox, though it doesn't look to be sufficient.

Ultimately, the safest approach would be to create your own interpreters that simply don't have capabilities that would let malicious scripts perform any damaging tasks (i.e. they have no affect in the real world), which is a topic that can fill books. The interpreter translates the code into a format that can be executed by a VM, which emulates whatever system features you want to support and provides sandboxed system calls (though the latter can also be provided by interpreter libraries you create). Basing the project on a VM allows you to support multiple languages without having to create an executor for each. Microsoft's CLI and VES provide an example of this.

When it comes to books with more information, basically anything on compilers/interpreters and virtual machines is of primary relevance. For more on VMs, see also "Good literature about making a VM", "Simple Interpreted Language Design & Implementation".

Community
  • 1
  • 1
outis
  • 75,655
  • 22
  • 151
  • 221