Sandboxing Users' PHP Code

Question

I want to limit what PHP functionality my users have access to.

For instance there is an object $data and the user likes to use if for and echo.

Obviously allowing him to write PHP would be a serious vulnerability.

Is there any way to run this PHP in a sandbox or would you recommend any lightweight PHP template engine?

Answer 1

If you don't have your own server you probably don't have runkit. But what you do have (probably) is Tokenizer! Using the Tokenizer you may look through the given source code and abort if you find an invalid token. Here an example how to validate an array using this. You could do same for your purpose. The PHP documentation has a list of tokens. If you need help deciding which tokens to allow or to disallow, please say so.

€dit: And obviously I do recommend to use Twig, too. It is so nice - and has sandboxing!

Answer 2

The only one I know so far is runkit.

The runkit extension provides means to modify constants, user-defined functions, and user-defined classes. It also provides for custom superglobal variables and embeddable sub-interpreters via sandboxing.

Update:

I could find these two links regarding zend and runkit you should take a look at:

http://framework.zend.com/wiki/display/ZFPROP/Zend_Http_Server+-+Mat+Scales
http://www.dunfy.me.uk/?p=38

Answer 3

Along the lines of smarty, give twig a try!

There is also a very robust extension system which allows you to allow/disallow built-in or custom tags, token parsers, nodes, etc in the template language itself. This way, users can have basic logic (conditional statements, "functions" (blocks) and iterators) without resorting to the evils of eval.

Answer 4

Tried Smarty? http://www.smarty.net/

Answer 5

The PECL runkit extension does provide sandboxing, but it's possibly a bit overkill for what you want to do

Answer 6

PHP Fat-Free Framework has a template engine that prohibits the use of PHP code and allows you to define which functions can be used inside HTML templates.

There's also a real sandboxing feature that makes functions and include files independent of others, i.e. variables/functions in one include file are not known to others, so you can have a function with an identical name as another include file. This may be of some use for (dysfunctional) developer teams.