User-scripting within PHP

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm interested in adding custom scripting functionality to my PHP
site.  Are there any implementations of languages such as JavaScript,
LUA, AWK etc... available for PHP?

I want to create an environment where I can populate some objects/data
structures and create an API for users to conduct their own customized

Originally I was interested in JavaScript, but it seems like the only
offering that seemed close to what I want (php-js) does not receive
updates anymore.  I would like something that is still being
maintained so that it can keep up to date.

Also, please consider this paragraph a disclaimer for the usual "Why
would you want to do that?!" and other distractions.  I am interested
in creating a sandboxed environment and security is obviously a goal
in my design...

Any suggestions and alternatives are welcome!  I'm not averse to
creating a secondary limited PHP environment within my script either
if that is possible...  It is the functionality I want and I'll take
it in any form I can get!


Re: User-scripting within PHP

Quoted text here. Click to load it

In a *nix environment it would be possible to run any sort of command-
line interpreter under the privileges of another user. The server had
better have well thought out permissions set on all of it's files,
though. Of course, your PHP script needs to be carefully planned as
well. I would still be wary about the security risks of this.

It may be necessary to even recreate the "birdcage" user account
between invocations of this, since a site visitor could potentially do
some interesting things to the account from scripts they submit.

You should do some research on the security risks of this as well as
pay attention to the "that's a dumb idea" messages that I am expecting
to be posted in reply to my suggestion.

-Michael Placentra II

Re: User-scripting within PHP

On Feb 25, 6:55 pm, Mike Placentra II
Quoted text here. Click to load it

Michael, personally I'd like to avoid invoking commandline.  I don't
think it would meet my needs either given that I would like to
configure the environment to some degree (provide a kind of API).  As
well, the inherent security risks are obvious.
For sure I'm no novice in all this, I've simply found myself without
an obvious solution ;)

Thank you though and I'm sure others that find this discussion will at
least benefit from what we say!

Re: User-scripting within PHP

Omega wrote:
Quoted text here. Click to load it

Sounds dangerous, but interesting too ;-)
What functionality, and use-cases are you thinking of?

Freundliche Gre,
Franz Marksteiner

Re: User-scripting within PHP

Quoted text here. Click to load it

Very simple condition testing.  Stuff akin to "If current user is
[member of blah] and current function is [blah], return [true/
false]".  I'm not so much interested in implementing this logic inside
of the SQL server as I want it to be configurable and I do not want to
get involved with stored procedures (dark path).

I am wondering if it would be safer for me to put the extra effort and
come up with my own mini language for this stuff.  But then that seems
redundant and I would be spitting in the face of so many better, more
full featured yet strangely absent implementations of the same idea!
It will be hardly dangerous as the scripts will only be allowed to
work with information provided to them in their sandbox (or scope-
box).  The API will be very specific and the whole routine will be
required to return true or false, or other simple structures.

The scripts won't have a large presence in the site and have very low
exposure to regular users based on the functionality I would like them
for - obviously that doesn't excuse the risk.  But I kind of figured
with my awareness of security and such, it is still not a threat.
I'm surprised this hasn't come about sooner as PHP has been so
versatile and "with it".  I assume it is only a matter of time before
somebody picks up the php-js project and really slams spidermonkey and
PHP together for some  interesting options.

Re: User-scripting within PHP

Omega wrote:

Quoted text here. Click to load it

Check out the "perl" and "python" modules in PECL < .

Also worth considering is the "runkit" module to which allows you to
dolots of interesting nifty things like redefine existing functions (even
built-in functions) and define your own superglobals. Of interest to you
though is that it enables you to take some PHP code (in a string), syntax
check it, and run it in a sandbox.

Disclaimer: runkit is really weird and somewhat dangerous. You will
probably break your whole server, but you'll have a fun time doing it.

Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux, up 27 days, 17:38.]

                               Bottled Water

Re: User-scripting within PHP

Quoted text here. Click to load it

Toby, bravo!  Thank you!

I will start reading up on this, even the first paragraph sends
shivers up my spine:

"The runkit extension provides means to modify constants, user-defined
functions, and user-defined classes. It also provides for custom
superglobal variables and embeddable sub-interpreters via sandboxing."

I'm surprised I didn't find this earlier as I had scoured the PHP site
for instances of the word "sandbox"...Go figure.

Take care and I'll post updates here depending on whether this works
out or not.

Site Timeline