How to deny the use of dangerous PHP functions? [duplicate]

Question

Possible Duplicate:
PHP: How To Disable Dangerous Functions

Hi, this is my situation: I must let my clients enter PHP code, but only safe functions like string function, date function etc. So I need the danger PHP functions list to remove them by using string replace before save to PHP file. Any suggestion?

Answer 1

Forget it. Reliable function whitelisting is not possible in php. Example:

$x = 'e' . str_replace('y', 'x', 'yec');
...lots of code...
$x('format c:');

realistic options are

• disabling functions (http://php.net/manual/en/ini.core.php#ini.disable-functions)
• sandboxing (see Recommendations for sandboxing inside PHP5 or alternatives?)

Answer 2

As far as I know, you can only use a black-list approach:

• http://es2.php.net/manual/en/ini.core.php#ini.disable-functions
• http://es2.php.net/manual/en/ini.core.php#ini.disable-classes

Of course, you have to consider how feasible it is to maintain an updated list of all builtin functions defined by all the possible extensions.

Another possibility I can think of is writing a simple tokenizer:

http://es2.php.net/manual/en/function.token-get-all.php

You can then check the functions used against a white list.

Update: I was under the wrong impression that token_get_all() would identify function calls but it actually doesn't. They're all T_STRINGs.