PHP-General - Should be simple

I have a function that looks like this:



Now, this works, except that, it makes my $var variable a function. That's not what i want to do. I would like to simply assign the return value of the function to the variable. i.e. $var would be a string and the value of $var would be 'Value'. Please just assume that i must use the anonymous function().

It's a function... All you have to do is execute it.

jackiellowery, are you trying it with different people now, because you didn't like our answers from last time?

There are much easier ways to get your data stolen and your server trashed. Just go to some Russian "hacker" forum and give them root access, they'll happily do that for you.

Sorry, but instead of desperately trying to get that eval() nonsense working, what about finding an actual solution? I'm sure we can help you with that. But I don't see the point of helping someone to open his server for any kind of attacks (or even accidental manipulations by clueless users). That's kind of like assisted suicide.

Yes, sorry, i thought I'd create a new thread b/c it seemed like including the eval() info confused a lot of people as to what i was trying to accomplish. What would you suggest for an actual solution? I don't know any other way that doesn't put limits on the ability of the admin to perform manipulation to the imported data.

P.S. I'm libertarian, so I think if someone wants to commit suicide, it should be perfectly legal.

Users being able to execute code is pretty much the worst case, so this will not be simple.

What I would do is restrict the input to a subset of PHP:

• the code must be a single expression consisting of function calls, operators and literals (like "abc" or 123); variable access should not be allowed at all or restricted to $_POST and $_GET and possibly user defined variables
• only certain functions are allowed; for example, explode() is certainly useful and harmless, but not file_get_contents()

This should be just enough to allow users to edit the data but not let them mess with the application.

You can use a PHP parser like this one to analyze and sanitize the input. The whitelist for the functions you'll have to write yourself.

Alternatively, you might also look for a PHP sandbox so that you can run the input code in an isolated and safe environment. It's probably best to combine those two approaches.

Of course this is all much more complicated than just passing the input to eval(). But that's often the case with security. No company or customer with basic programming knowledge would accept the eval() stuff.

While you're at it, have fun trying to prevent code like

Yes, dynamic function calls and stuff like $$var will need special treatment. And there are probably a lot of other things to consider.

You guys don't think that just limiting the possible executables to be run using php's safe mode settings would be sufficient?

Definitely not. As of about 6 months ago, "safe mode" no longer even exists in PHP. Even if it still did, it wouldn't have been useful in this scenario.

However, that aside, it is possible to define, execute and assign the return value of a function into a variable in a single statement in PHP. However, I don't actually see how this would help much:


Allowing a user to run arbitrary PHP code is effectively identical from a security perspective to giving them FTP access as the web server user account. So, for example, this allows them to:
- obtain any passwords or api tokens you have configured for any external services
- retrieve or change any records in your database
- change any page on your site
- obtain the password of any user who logs in (or any other data users submit, like credit card numbers)
- etc. Basically they can do anything.

Now, a lot of administrators do have FTP access and thus could already do those things, but not all of them do for the security reasons listed above, so there's that to take into consideration.