Eric Dorland wrote: > We've created our own CMS in PHP and we'd like to allow our users to do > more sophisticated things, like embed there own PHP code in pages. We > already run in safe-mode with our code, but we would like to run their > code in an even more restricted environment than our own code (ie, > disable some more functions, etc). Something similar to Perl's Safe > module > (http://www.cs.usask.ca/resources/documentation/perl/Safe.pm.html). Is > this at all possible in PHP? Can you turn on more safe mode restrictions > on certain bits of code? A crude start might be to use http://php.net/exec to start ANOTHER php process with a different php.ini which is more restrictive. The problem there, though, is that you can only rule out "bad" functions (black-list) instead of listing all "good" function (white list) in php.ini, so you'd have to come up with an exhaustive list of things you think are "bad" which will change with every release and is generally considered the wrong way to go about security... You may be better off, then, by writing something not unlike (or just plain using) Smarty or some other templating language, where you let them make up the templates, and only allow some simple pre-defined substitution of variables you pre-define or something... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
