Menu
I have a class like this:
class Person {
function __construct($name) {
$this->name = $name;
}
function show() {
echo $this->name;
}
}
On my PHP page, I'd like to have a textbox that lets me either type in a custom-language script or a PHP script (without security vulnerabilities somehow) like :
PHP Example:
$me = new Person("Alexander");
$me->show();
And see output on the page with the result of the show() function. Obviously I don't want people writing malicious code. How is this done? I don't have any experience with this type of programming.
Examples of problem domain:
Interactive "learn php" website. User can type php in and see result without having to set up their own web server.
"Program an attack script" game. User programs their fleet AI and watches the result of the battle against the computer AI.
469
The simplest option is to run a sandboxed virtual server. You can also try the PHP sandbox, though it doesn't look to be sufficient.
Ultimately, the safest approach would be to create your own interpreters that simply don't have capabilities that would let malicious scripts perform any damaging tasks (i.e. they have no affect in the real world), which is a topic that can fill books. The interpreter translates the code into a format that can be executed by a VM, which emulates whatever system features you want to support and provides sandboxed system calls (though the latter can also be provided by interpreter libraries you create). Basing the project on a VM allows you to support multiple languages without having to create an executor for each. Microsoft's CLI and VES provide an example of this.
When it comes to books with more information, basically anything on compilers/interpreters and virtual machines is of primary relevance. For more on VMs, see also "Good literature about making a VM", "Simple Interpreted Language Design & Implementation".
176
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
