restricting native php functions

sfullman

For a really smart person:

I would like to have an interface that allows someone to enter a php formula and have it output as part of their setting. You can imagine I've got some security concerns.

For example, if they were to enter:

echo file("root/path",$PHP_SELF);

they would see all the source code for the page.

Is there anyway to set up restrictions on functions like file(), without doing somersaults trying to detect these functions using regular expressions, i.e. to give the user a subset of native functions to use?

Thank you profusely for either a conclusive yes and instruction, or a conclusive no.

Thanks,
Sam Fullman
Compass Point Media

epp_b

Yes and No (how's that for an answer 😉)

Take a look at Safe Mode. Specifically, the disable_functions directive in php.ini

If it's just one function (in this case, file()), I personally think regex would be a better alternative.