Dangerous php functions

Question

I\'m storing php functions to a mySQL database from user input, these functions need to be able to be executed.

As we know, this could and will allow Mr hacker to tu

Answer 1

Ive decided to go for something like this:

http://mustache.github.com/#demo

This will allow my users format there data in there own way without direct php code.

Answer 2

I'm storing php functions to a mySQL database from user input, these functions need to be able to be executed.

This is an awful idea. It'll be very difficult to compile a list of "safe" functions and PHP is full of local vulnerabilities that could be exploited by anyone knowledgeable enough.

Even white-listing would be very difficult; it would be difficult to detect code like $a = 'exe'; $a .= 'c'; $a('echo foo'); would be calling exec. Consider an alternative strategy that doesn't involve storing executable code.

Answer 3

You should NEVER run a function that is defined by user input. There are millions of ways that a user could disguise a function name that you can not stop. For example you can save a function name into a variable and run the function with the variable.

<?php
$test = "readfile";
$test("somePageWithDatabasePassword.php");
?>

That is perfectly valid. And if you think you can test for functions run from variables, there are ways around that using chr(), concatenation, hex...etc.