Disallowing an included file access to superglobals?

evan_k

I have a function where I include another php script, and capture its output into a string:

function include_capture($file = NULL) {
  // if no file path, dump out
  if (is_null($file)) {
    return NULL;
  }

  // using output buffering, capture output of the included file
  ob_start();
  include($file);
  $result = ob_get_contents();
  ob_end_clean();

  // return output
  return $result;
}

This works well, but for security reasons, I was wondering if there was any way to prevent the included script from having access to the PHP superglobals, such as $GLOBAL or $_ENV. For example, I know that in Perl its possible to restrict access to global variables by creating overriding locals:

$global_var = 'something I dont want you to see...';

sub override_global {
  # set to undefined value
  local $global_var = undef;

  # prints nothing
  print $global_var;
}

# prints the global variable
print $global_var;

Is there something similar to this in PHP, or perhaps a different technique to achieve the same result?

sneakyimp

you could do something like this maybe?

$rememeber_GLOBAL = $GLOBAL;
$remember_ENV = $ENV;

$GLOBAL = null;
$ENV = null;

ob_start();
include($file);
$result = ob_get_contents();
ob_end_clean();

$GLOBAL = $rememeber_GLOBAL;
$ENV = $remember_ENV;

I have no idea if that would work or not but maybe try it?

evan_k

thanks, thats a step in the right direction...though those $remember_ variables are visible in the scope of the include file as well. thats ok though, i dont need it to be a ironclad solution, just enough to keep someone from accidentally mucking things up 🙂

laserlight

There may be simpler solution though: include the file using the URL fopen wrapper. The included file will then not inherit the scope of the current file.