仅使特定函数和变量在 PHP 中可用
我想做一个编程环境。我将用一个例子来解释它。
一名程序员将编写该代码;
<html>
<head>
<?php definedMetaTags(); ?>
</head>
</body>
程序员将保存该文件,然后上传到我的系统。该文件将在服务器端执行,然后系统将返回生成的代码。
DefinedMetaTags() 函数已经写入系统中。
Compiler.php 的一个示例:
<?php
require_once("definitionsForProgrammer.php");
include("uploadedfile.php");
?>
我的问题是我只想允许 uploadedfile.php 执行我想要的功能。否则,也许那个程序员写了一些我想让他/她做的代码。 (删除文件、mysql连接等)
有没有办法让代码只包含特定的函数、变量、常量?
I want to make a programming environment. I will explain it with an example.
One programmer will write that code;
<html>
<head>
<?php definedMetaTags(); ?>
</head>
</body>
Programmer will save this file and then upload to my system. That file will be executed at server side and then they system will turn generated code back.
That definedMetaTags() function will be already written in the system.
An example of Compiler.php:
<?php
require_once("definitionsForProgrammer.php");
include("uploadedfile.php");
?>
My question is that I want to allow that uploadedfile.php only what functions I want. Else, maybe that programmer writes some codes what I want him/her to do. (Deleting files, mysql connection, etc.)
Is there any way to allow a code only specific functions, variables, constans?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果目标是允许用户插入将被某些 PHP 函数执行替换的占位符,则无需将上传的文件视为 PHP 代码:
那么 Compiler.php 将如下所示:
defineMetaTags()函数需要重新设计,以便它以字符串形式返回标签,而不是直接将它们打印到输出中。这种方法允许您定义任意数量的宏,而不会让自己面临其他人提到的所有安全风险。
If the goal is to allow a user to insert placeholders that will be replaced by some PHP function execution, then there's no need to treat the uploaded file as PHP code:
Then Compiler.php would look like this:
The
definedMetaTags()function would need to be reworked so that it returns the tags as a string instead of printing them directly to output.This method would allow you to define any number of macros without exposing yourself to all the security risks the others here have mentioned.
如果您的目标是安全并且想让他们编写函数,那么简短的答案是:不。
本质上,您需要一个 PHP 沙箱,它可以让您限制可以执行的代码。 PHP 必须在基础层面上支持它才能工作。例如,假设您采取的方法是“我只允许用户编写名为“foo”的函数”。在该函数内部,尽管用户可以做各种坏事,例如进行系统调用、下载其他代码并执行它等。为了防止这种情况,您需要在系统中的较低级别实施检查。
如果您愿意将范围仅限于变量定义,那么您可以做到。您可以使用 token_get_all() 和 token_name() 检查该文件,以确保其中不包含任何您不需要的代码。例如:
如果您不喜欢看到的任何标记,请不要包含该文件。理论上,您也可以通过这种方式防范不良功能,但需要付出相当大的努力来正确解析文件并确保它们不会做坏事。
参考文献:
If you're aiming for security and you want to let them to write functions, then the short answer is: no.
Essentially you're asking for a PHP sandbox which will let you constrain what code can be executed. PHP would have to support this at a fundamental level for it to work. For example, supposing you took the approach of saying "I only allow the user to write a function named 'foo'". Inside that function, though the user can do all kinds of bad things like making system calls, downloading other code and executing it, etc. In order to prevent this you'd need to implement checks at a much lower level in the system.
If you're willing to restrict the scope only to variable definitions then yes you can do it. You can use token_get_all() and token_name() to examine the file to make sure that it doesn't have any code that you don't want in it. For example:
If you don't like any tokens you see, don't include the file. You could theoretically guard against bad functions this way as well, but it'll require a fair amount of effort to properly parse the file and make sure that they're not doing something bad.
references:
好吧,如果我正确理解你的问题。如果你包含(“uploadedfile.php”);您将获得其中的一切。
您可以做的是将代码分解为相关部分(无论是通过类还是文件中的函数定义),然后仅包含您想要的文件/类。
(如果这不是您要问的,请告诉我)
Well, if i'm understanding your question correctly. If you include("uploadedfile.php"); you will acquire everything in it.
What you could do is break your code up into related sections (whether it be via classes or just function definitions in a file) then only include the file/class that you want.
(let me know if that's not what your asking)