#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0

    Should be simple


    I have a function that looks like this:

    Code:
    $var = function() { return 'Value'; };
    Now, this works, except that, it makes my $var variable a function. That's not what i want to do. I would like to simply assign the return value of the function to the variable. i.e. $var would be a string and the value of $var would be 'Value'. Please just assume that i must use the anonymous function().

    Comments on this post

    • Jacques1 disagrees : Are you resistant to advice? :-/
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,053
    Rep Power
    9398
    It's a function... All you have to do is execute it.
    PHP Code:
    $function = function() { return 'Value'; };
    $var $function(); 
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    jackiellowery, are you trying it with different people now, because you didn't like our answers from last time?

    There are much easier ways to get your data stolen and your server trashed. Just go to some Russian "hacker" forum and give them root access, they'll happily do that for you.

    Sorry, but instead of desperately trying to get that eval() nonsense working, what about finding an actual solution? I'm sure we can help you with that. But I don't see the point of helping someone to open his server for any kind of attacks (or even accidental manipulations by clueless users). That's kind of like assisted suicide.
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0
    Originally Posted by Jacques1
    jackiellowery, are you trying it with different people now, because you didn't like our answers from last time?

    There are much easier ways to get your data stolen and your server trashed. Just go to some Russian "hacker" forum and give them root access, they'll happily do that for you.

    Sorry, but instead of desperately trying to get that eval() nonsense working, what about finding an actual solution? I'm sure we can help you with that. But I don't see the point of helping someone to open his server for any kind of attacks (or even accidental manipulations by clueless users). That's kind of like assisted suicide.
    Yes, sorry, i thought I'd create a new thread b/c it seemed like including the eval() info confused a lot of people as to what i was trying to accomplish. What would you suggest for an actual solution? I don't know any other way that doesn't put limits on the ability of the admin to perform manipulation to the imported data.

    P.S. I'm libertarian, so I think if someone wants to commit suicide, it should be perfectly legal.
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by jackiellowery
    What would you suggest for an actual solution?
    Users being able to execute code is pretty much the worst case, so this will not be simple.

    What I would do is restrict the input to a subset of PHP:
    • the code must be a single expression consisting of function calls, operators and literals (like "abc" or 123); variable access should not be allowed at all or restricted to $_POST and $_GET and possibly user defined variables
    • only certain functions are allowed; for example, explode() is certainly useful and harmless, but not file_get_contents()

    This should be just enough to allow users to edit the data but not let them mess with the application.

    You can use a PHP parser like this one to analyze and sanitize the input. The whitelist for the functions you'll have to write yourself.

    Alternatively, you might also look for a PHP sandbox so that you can run the input code in an isolated and safe environment. It's probably best to combine those two approaches.

    Of course this is all much more complicated than just passing the input to eval(). But that's often the case with security. No company or customer with basic programming knowledge would accept the eval() stuff.
  10. #6
  11. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,053
    Rep Power
    9398
    While you're at it, have fun trying to prevent code like
    PHP Code:
    $f="file_"."get_"."contents";$p="\x2fetc\x2fpasswd";echo $f($p); 

    Comments on this post

    • Jacques1 agrees
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Yes, dynamic function calls and stuff like $$var will need special treatment. And there are probably a lot of other things to consider.
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0
    Originally Posted by Jacques1
    Yes, dynamic function calls and stuff like $$var will need special treatment. And there are probably a lot of other things to consider.
    You guys don't think that just limiting the possible executables to be run using php's safe mode settings would be sufficient?
  16. #9
  17. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    You guys don't think that just limiting the possible executables to be run using php's safe mode settings would be sufficient?
    Definitely not. As of about 6 months ago, "safe mode" no longer even exists in PHP. Even if it still did, it wouldn't have been useful in this scenario.

    However, that aside, it is possible to define, execute and assign the return value of a function into a variable in a single statement in PHP. However, I don't actually see how this would help much:
    PHP Code:
    $var call_user_func(function() {
        return 
    'Value';
    }); 
    Allowing a user to run arbitrary PHP code is effectively identical from a security perspective to giving them FTP access as the web server user account. So, for example, this allows them to:
    - obtain any passwords or api tokens you have configured for any external services
    - retrieve or change any records in your database
    - change any page on your site
    - obtain the password of any user who logs in (or any other data users submit, like credit card numbers)
    - etc. Basically they can do anything.

    Now, a lot of administrators do have FTP access and thus could already do those things, but not all of them do for the security reasons listed above, so there's that to take into consideration.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around

IMN logo majestic logo threadwatch logo seochat tools logo