Hello. For some reason, I need to allow users to send a form with arbitrary PHP code to my server so that this code can be executed on the server. Is it possible to somehow filter unsafe scripts for the server? For example, prohibit all functions and constructions except "foreach", "echo", "if ($ var1 == $ var2)", etc.? Or, perhaps, there are some simplest template engines, with the help of which the user could not accept PHP code, but an HTML template, and execute it? Thank you in advance.
- 2Of course there are. There are sites that allow you to run the code online. This is called phpsandbox. Hammer in google phpsandbox + github to find exactly the options written in php - vitidev
|
1 answer
It is safe to execute code in several ways:
- using the https://github.com/Corveda/PHPSandbox library
- with the help of the expansion http://php.net/manual/ru/book.runkit.php
- setting up an additional server or running scripts in a separate process
But you, most likely, will be enough template. There are thousands of them. One of the most popular is Twig . You can control the compilation of the template yourself, showing the user errors. $twig->parse($twig->tokenize($template)); and catch exceptions.
Ostin ostin
391 2 7
|