SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    PHP/Rails Developer Czaries's Avatar
    Join Date
    May 2004
    Location
    Central USA
    Posts
    806
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Allowing end-user PHP code in hosted application - thoughts?

    I just wanted to get a discussion going about the possibility of allowing end-user PHP code in a hosted application - here's my idea:

    Say there is some hosted PHP application, and it will allow end users limited FTP access to their site's account that would enable them to develop their own custom PHP modules based on a provided API. So instead of an API that uses webservices to communicate, you essentially allow some form of limited custom programming on the same server that can hook in and call functions on the API classes directly. The trick, of course, is security.

    I was thinking about a custom PHP parser that would essentially include their files, strip out certian functions like include, include_once, require, require_once, eval, fopen, file_*, etc. and then provide passthrough functions in the API to get that functionality (to make sure they are limited only to the user's account). It seems a bit convoluted, but it may work.

    Any thoughts on some other way to achieve this? Are the security risks too great to even consider this?

  2. #2
    SitePoint Addict
    Join Date
    Aug 2007
    Posts
    365
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What kind of data would you like to get from your API? What you a suggesting in my opion would be a dificult task! nearly everything in PHP could become a potential security threat

  3. #3
    SitePoint Addict Jasper Bekkers's Avatar
    Join Date
    May 2007
    Location
    The Netherlands
    Posts
    282
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think I would approach it the other way around and use a second programming language that is easy to secure; the Spidermonkey javascript engine from Mozilla comes to mind or LUA might also work. Spidermonkey could be used to build a PHP module that exports the API in that way. That would allow ultimate control over what the end-user can or can't do.

    However, if you're taking the route you proposed, consider the disable_functions setting, even though that can only be set from php.ini.

    Yet another way is to publish a simple library that access some sort of webservice you're supplying; basically moving the needs of the user to a different webserver and keeping yours secure.

    ----

    Edit

    The Spidermonkey solution can become really nice when combined with either reflections or annotations to automatically 'discover' the classes and that are exposed. However, it would require some C knowledge from the implementer (you) but the Spidermonkey API is well documented and fairly simple. The Zend API on the other hand not so much.
    Design patterns: trying to do Smalltalk in Java.
    I blog too, you know.

  4. #4
    SitePoint Enthusiast
    Join Date
    Mar 2005
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    still beta (and i guess it will stay beta) but it may help:
    http://pecl.php.net/package/runkit

  5. #5
    PHP/Rails Developer Czaries's Avatar
    Join Date
    May 2004
    Location
    Central USA
    Posts
    806
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the replies so far. Allow me to explain my thoughts a little more.

    The idea here is for the user to be able to provide functionality for their account in the hosted application, not just to retrieve data. So by nature it has to be more complex than simple webservices API calls. I'm talking about being able to make something that looks and acts like an integrated module, that could access and modify data, hook in at specific locations, etc. Almost like a more abstract plugin.

    I suppose something like this could be achieved with webservices using callbacks to a script on the user's server and back-and-forth communication between the two scripts on different servers, but that seems like it may be a little slow for the end user.

    Also - I don't have any kind of hosted application that I could actually do this with now, so I'm not really looking for a straight solution to this problem (although I do appreciate the help so far), but more of a discussion surrounding the whole idea.

  6. #6
    SitePoint Guru
    Join Date
    Nov 2002
    Posts
    841
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  7. #7
    PHP/Rails Developer Czaries's Avatar
    Join Date
    May 2004
    Location
    Central USA
    Posts
    806
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow Selkirk,

    That runkit sandbox looks very interesting... Thanks for the contribution!

  8. #8
    SitePoint Enthusiast
    Join Date
    Feb 2008
    Posts
    33
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sorry to bring up the old thread:

    The way I got round this in our e-commerce app (shipping and billing rules are editable PHP code) is by using the tokenizer functions built-in to PHP. Split the code into tokens and then use a whitelist, not a blacklist to say what language constructs and functions are allowed. You can do some really funky stuff like prepending all variables with another identifier so that people cannot access things they're not meant to.

    The output is saved to a file that gets included by an executor class that acts as a sandbox, only variables the script is meant to have access to are passed to the $exec->run() function.

  9. #9
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by philjohn View Post
    The output is saved to a file that gets included by an executor class that acts as a sandbox, only variables the script is meant to have access to are passed to the $exec->run() function.
    I suppose you could use stream-wrappers to get around this step. Did you try that?

  10. #10
    PHP/Rails Developer Czaries's Avatar
    Join Date
    May 2004
    Location
    Central USA
    Posts
    806
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by philjohn View Post
    Sorry to bring up the old thread:

    The way I got round this in our e-commerce app (shipping and billing rules are editable PHP code) is by using the tokenizer functions built-in to PHP. Split the code into tokens and then use a whitelist, not a blacklist to say what language constructs and functions are allowed. You can do some really funky stuff like prepending all variables with another identifier so that people cannot access things they're not meant to.

    The output is saved to a file that gets included by an executor class that acts as a sandbox, only variables the script is meant to have access to are passed to the $exec->run() function.
    Thanks for contributing to the thread and for sharing your experiences. I don't think anyone will mind you bringing up this older thread, because I think this is an issue more and more people will want to explore as hosted applications become more prevalent.

    I was kind of thinking about using output buffering around the user-included files myself, so that they would have their own variable scope, and then just passing in allowed variables with setter methods much like most PHP template systems do already.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •