Hey guys. I am working on a basic php tutorial.
before you yell at me for doing this when I cant answer my own question remember I said Basic LOL

I created a script that lets the student create a php file in a textarea then when they submit it a file is written to a folder on my server and they are given a link to view it. when they view it at the top of the page before their code starts is a message saying they must click this link to close the window after they are done viewing.
They click the link and it deletes the file they just wrote.and closes the window.

This all works fine but here is my question. would I be crazy to let it go public. Could someone use the tutorial page to write a script that would trash my site? And is there any way I could make it secure so they dont?

Thanks in advance for any ideas

Yes, you'd be crazy. Parsing the PHP to let someone run only safe code is a gargantuan task. Why not stick with pure HTML?

yes. I've written a PHP script that can view the contents of the entire directory and the source code for every PHP file in the directory (even directories before that directory in Windows-based servers).

Quote:

Originally Posted by JeremyMiller

Yes, you'd be crazy. Parsing the PHP to let someone run only safe code is a gargantuan task. Why not stick with pure HTML?

I dont understand. How can I let them test the file they just wrote with pure html?

But I am glad I asked before letting it out to use.

I think I will package the script and give it away so they can upload it to there own site then just use my site for the tutorial part. Thanks for the help.

Number #1 security rule...

Eliminate all chances of allowing outside code being executed on your server. This is why forums are the #1 target for malicious activity.

Wish you the best of luck on your task.

Quote:

Originally Posted by bmcoll3278

I dont understand. How can I let them test the file they just wrote with pure html?

You can't except to view the file in a browser. You're writing a tutorial, though, so what does it matter which language you use.

Ok I get what you ment. The tutorial is in html.
The php is to let them try the scripts they write But that idea is scraped after what you guys here said.
I will just do the tutorials in html and offer the script for them to use on there own server as a tool.
Thanks again

Hey Brian be sure to post your final page I'd like to see what you end up doing and maybe give you any advice if you want.

well I think it's possible to write a script where they can write the PHP script, click submit and it will show on top of what they wrote the output of the script they just wrote. if their server doesn't support PHP, you can have them download a simple lightweight web server where they can view it on localhost. they can use QuickPHP. it's pretty much an application that you download, and just click start and the server will load (and its very lightweight, meant for testing out scripts on local server). hope that helped.

Quote:

Originally Posted by 911

Hey Brian be sure to post your final page I'd like to see what you end up doing and maybe give you any advice if you want.

Thanks. I think it may be above my skill level to make it interactive like I want without setting myself up for hacking.

But I may package my script with a simple self installer give it to the user then they can read my tutorial and run the script on there server.
But I am still going to look for a way to make it work on mine. I just dont want hacked so I will need advise I am grateful for the offer.

Quote:

Originally Posted by rednimaT

well I think it's possible to write a script where they can write the PHP script, click submit and it will show on top of what they wrote the output of the script they just wrote. if their server doesn't support PHP, you can have them download a simple lightweight web server where they can view it on localhost. they can use QuickPHP. it's pretty much an application that you download, and just click start and the server will load (and its very lightweight, meant for testing out scripts on local server). hope that helped.

writing the script is easy I have it working fine. But I am afraid to let anyone use it for fear they could execute a script on my server that screws up my site.

Quote:

Originally Posted by bmcoll3278

I notice you answer a lot of php question and seem to know your stuff.

Would you look at this post and see if you could give any advise?
http://www.webmaster-talk.com/php-fo...-php-guru.html

I would like to make this idea work But dont want to get myself hacked.
Thanks

The problem with allowing users to upload and execute PHP code is that it would be far too difficult to restrict their access to possibly dangerous functions. Just off the top of my head:
exec
eval
unlink
rmdir
database functions
filesystem functions
.
.
.

by the time you eliminate anything that can be misused you won't have much of a language at all.

Even then someone determined enough could most likely still do something malicious. As far as I'm aware there is no way to accomplish what you are trying to do effectively.

Quote:

Originally Posted by NullPointer

The problem with allowing users to upload and execute PHP code is that it would be far too difficult to restrict their access to possibly dangerous functions. Just off the top of my head:
exec
eval
unlink
rmdir
database functions
filesystem functions
.
.
.

by the time you eliminate anything that can be misused you won't have much of a language at all.

Even then someone determined enough could most likely still do something malicious. As far as I'm aware there is no way to accomplish what you are trying to do effectively.

Thank you much I will try something else I just thought it would be cool to have the only tutorial that was interactive