How to restrict file system access in PHP?

Question

Someone knows a trick to have a PHP script self-restrict access to the file system (fopen, file_get_contents etc.)?

Such calls should be blocke

Answer 1

Option #1

You can use open_basedir which is a php.ini directive to limit the directories the app has access too. The directories can be semicolon separated so you can just list the directories you want the app to access including the /tmp folder.

The caveat is that this also affects things like include, require.

Option #2

You could rename them using rename_function or runkit_function_rename and then wrap the renamed versions with your own logic.

Quote from the documentation:

Renames a orig_name to new_name in the global function table. Useful for temporarily overriding built-in functions.

Example:

rename_function('file_get_contents', 'nouse_file_get_contents');

function file_get_contents($filename, $use_include_path = false, $context, $offset = -1, $maxlen) {
    //
    // Do some validation here
    //
    return nouse_file_get_contents($filename, $use_include_path, $context, $offset, $maxlen);
}

Option #3

You could setup some coding standards for your devs and write some unit tests that run as part of the deployment before things are pushed to production. Not sure what your release procedures are but these types of things should be caught before production.