SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Zealot
    Join Date
    Jan 2007
    Posts
    119
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Arrow PHP Execution Plugin for WordPress (modifying)

    Hi guys,

    I have some WordPress blogs that I need to be able to execute PHP within the posts (in other words, I can type <?php echo data('Y'); ?> in the WordPress "New Post" editor and everyone will see in my blog entry... 2009).

    There is a plugin called PHP Execution ( http://wordpress.org/extend/plugins/...cution-plugin/ ) that allows this very thing.

    I see this plugin as a potential security risk, however. If a hacker was to gain access to my WordPress admin area, then they have the ability to execute PHP code on my server, which could, in theory (I assume) do untold damage to my entire server (not just my WP blog).

    The meat and potatoes of this plugin is the function which does the following (pretty self-explanatory):

    Code PHP:
    /**
    * execute php inside post
    */
    function execute_php($content)
    {
    	ob_start();
    	eval("?>$content<?php ");
    	$html = ob_get_contents();
    	ob_end_clean();
    	return $html;
    }

    I want to somehow modify this, if possible, to strip out any PHP functions such as mkdir(), rmdir(), chmod(), or any other commands that would be totally out of the ordinary for what my PHP uses would be within a blog post.

    Any ideas how I can go about doing this? I can't use strip_tags($content, $allowed), because I plan on echo'ing a lot of javascript and html as well, and building an $allowed would be too difficult.

    Is there perhaps any methods using .htaccess I could implement, that wouldn't break the intrinsic functionality of WP?

    I'm looking for any and all suggestions and ideas you may have. I've looked at this for quite some time and can't quite figure out a solution. I also don't know if I'm just being overly paranoid about this particular plugin.

    Thanks so much for your guidance and advice.

  2. #2
    SitePoint Zealot Kayarc's Avatar
    Join Date
    Sep 2009
    Posts
    127
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could make a .csv file that contains a list of all functions that you want stripped out and then make a function that processes it

    Not sure if that's the best solution though
    Phoenix Arizona Web Design | info *at* kayarc.com | 602.633.2676


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •