Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Safely executing users' PHP scripts on the server

Tags:

linux

php

I'm writing a collaborative project designed to allow code contributions from users. Users will be able to extend a class, add functionality etc, and submit the code back to the server for regular execution.

Is there a safe way to execute users' PHP code? A foolproof sanitizing method? What about infinite loops? Or should I offer a different scripting language?

like image 977
Al. Avatar asked Aug 07 '09 15:08

Al.

People also ask

Is PHP scripts are executed on the server?

PHP is a server side scripting language. This means that it is executed on the server. The client applications do not need to have PHP installed.

Can you run PHP files on a server?

The preferred way of running PHP files is within a web server like Apache, Nginx, or IIS—this allows you to run PHP scripts from your browser. That's how all PHP websites work! The other way is to run PHP scripts on the command line, and it doesn't require you to set up a web server.

Where should PHP codes be executed?

A PHP code will run as a web server module or as a command-line interface. To run PHP for the web, you need to install a Web Server like Apache and you also need a database server like MySQL. There are various web servers for running PHP programs like WAMP & XAMPP.

How PHP scripts are executed?

Until version 3, PHP source code was parsed and executed right away by the PHP interpreter. PHP 4 introduced the the Zend engine. This engine splits the processing of PHP code into several phases. The first phase parses PHP source code and generates a binary representation of the PHP code known as Zend opcodes.

Video Answer

1 Answers

  • JailRoot for the DocumentRoot

  • SafeMode ON to allow access to files only on specific directories

  • Use a per USER MPM to limit system
    resources to the apache process

  • Set safe php.ini settings for memmory limit and max_execution_time

And as Saggi Malachi noted, this is very experimental, you have to monitor the actions on the server and have fallback szenarios, eg. cronjobs watching load average, if loadaverage is above threshold stop apache and sendmail.

Other good idea is to compile your own php und deny access to php functions which could be "exploited" by your users.

like image 190
Rufinus Avatar answered Sep 28 '22 08:09

Rufinus
Sign in to Comment

Related questions

C# & PHP: Simple example of PHP Web Service used by C#
PHP HTTP_POST_VARS problem
Cannot delete cookies that were set in JavaScript on the server
TinyMCE: packaging all the files instead of dynamically loading them... possible?
Best way to call .NET classes from PHP?
How to upload a BitmapData Object straight to my server?
In php, I want to download an s3 file to the browser without storing it on my server
Introducing Test Driven Development in PHP
How to pass a javascript object array to php using POST
PHP Outputting File Attachments with Headers
How to pass GET and POST data to the php executable?
Php parse links/emails
Easiest way to build a tree from a list of Ancestors
Trouble installing PHP 5.3.0 with intl-support
PHP logs - mysql vs file
Generate Random IP address using PHP
How to add curl support to PHP 5 in CentOS
JavaScript QR Code Reader - can it be done? Or, Remote Service?
How can I remove the NULL character from string
Do I really need to do mysql_close()

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!