parsing eval'd code

stef4n

i develop an application which let users develop additional php-code online (which is saved in the db) and eval'd when needed.

the problem is: if i grant an user rights to develop this eval'd code, he gets allmighty on my system. example: php-functions like "exec, system, passthru".

so is there a way to get out special php-funcs out of the code?

maybe a regular-expression search? or is there a mightier php-parser somewhere?

thanks,
stefan

[deleted]

What you are doing is too dangerous.

A simpe 'exit' will kill your script,
or a while(1){} will hang it.
Imagine a script that start 5000 copies of VI on your server.
And I'm sure there are more creative ways of making your website crash.

You can't simply parse the code because it's too easy to make something that looks innocent.

In short, never let a user enter PHP code at all.

stef4n

i have to let them. i'm working on a wiki-clone, and there multiple authors should be able to enter code. of course only if they got rights for it - and those rights are only given to people who i trust.

but it wouln'd be too bad to make a little additional security ...