Reputation: 4307
How to limit the functions an included php scrit can run?
I've got this architecture:
front end -> multiplexor.php -> script.php
I want to limit the functions/procedures that can be called, for example I don't what to allow send_mail read files, etc. Just a subset of php included functions and also limit specific mysql querys like "DROP TABLE" and other erasing capabilities.
How do I achieve this? Do I need to write a validation script?
I'm running on apache with php5 and mysql latest version.
Upvotes: 0
Views: 104
Answers (3)
Reputation: 586
Sounds like what you're looking to create is something called a Dispatch Table. This can be done effectively using call_user_func() or call_user_func_array().
You'd basically create a function that accepts the function name as an input string (args would be best handled as a separate input array). If you have an array that contains a list of allowed functions, simply use PHP's in_array() function to see if the passed string is an allowed function. If it is, do the call_user_func[_array] () and return its return value. If it's not allowed, return FALSE.
Using this method is ideal because it doesn't require you to mess around with any of PHP's global settings. It'll also give you the flexibility of applying this rule to both built-in PHP functions and user-created functions. Likewise, you could do the reverse by creating an array of disallowed functions instead.
Upvotes: 1
Reputation: 47321
To prevent drop, delete in mysql you can block the Drop, delete privileges.
(That's mean the account you are using to connect mysql should NOT have privileges of Drop,Delete)
To disable PHP function :- disable_functions,disable_classes
Upvotes: 0
Reputation: 16949
You can provide list of disabled function in PHP.ini file:
disable_functions=trim,strlen,exect
depends on your needs.
Instructions like DROP TABLE which are part of database server rather than PHP should be limited on database side(user privileges?)
Or if this is not applicable and database access layer is under your control you can add simple logic which checks types of queries like:
if (stripos('DROP', $query) !== FALSE) { ... }
But in either case it's better to do such things on configuration level.
Upvotes: 2
Related Questions
- PHP: How To Disable Dangerous Functions
- Limit PHP Execution?
- Restricting php functions executed on the command line
- Hide php mysql constraint violation warning for selected functions
- How can I allow only specified functions to be executed and disable all others?
- Limit a user's function/action
- How to block a piece of code for multiple processes
- How can I limit used functions in uploaded PHP file?
- Include functions
- How do I disable a function(s) from usage in PHP?