Hi,
I am running my own Apache 2.0.36, PHP 4.2.0 (as module) server on Win2K. I do not have safe mode on.
What I would like to do is have one specific page which may execute code that is derived from an input element on another web page. As such, the code could be arbitrary. Therefore, I would like this particular receiving page, only, to be "safe". But as I understand it, given that I'm running php as a module, php.ini is not reread.
So is there any way to make this page independently safe? To my simple minded way of looking at things, and assuming there is no "standard" way, this amounts to me disabling evals (since if they are disabled, then I can safely scan the intended (to be run) code and search for the other "forbidden" functions. By disabling, I simply mean not running any portion of code that has evals or the other forbidden elements.
However, an implicit eval also pops up in preg_replace, and though I'd rather not exclude preg_replace, I can't reliably determine whether a /e option has been given, so I will have to exclude it, too.
Ultimately, my question is whether my approach is OK or whether I have missing something (also, are there other implicit evals?)
Thanks,
Csaba Gabor
