User-scripting within PHP

25/02/2008, 16h32

I'm interested in adding custom scripting functionality to my PHP
site. Are there any implementations of languages such as JavaScript,
LUA, AWK etc... available for PHP?

I want to create an environment where I can populate some objects/data
structures and create an API for users to conduct their own customized
logic.

Originally I was interested in JavaScript, but it seems like the only
offering that seemed close to what I want (php-js) does not receive
updates anymore. I would like something that is still being
maintained so that it can keep up to date.

Also, please consider this paragraph a disclaimer for the usual "Why
would you want to do that?!" and other distractions. I am interested
in creating a sandboxed environment and security is obviously a goal
in my design...

Any suggestions and alternatives are welcome! I'm not averse to
creating a secondary limited PHP environment within my script either
if that is possible... It is the functionality I want and I'll take
it in any form I can get!

26/02/2008, 00h55

On Feb 25, 11:32 am, Omega <atrau...@gmail.com> wrote:
> I'm interested in adding custom scripting functionality to my PHP
> site.
> I'm not averse to
> creating a secondary limited PHP environment within my script either
> if that is possible.

In a *nix environment it would be possible to run any sort of command-
line interpreter under the privileges of another user. The server had
better have well thought out permissions set on all of it's files,
though. Of course, your PHP script needs to be carefully planned as
well. I would still be wary about the security risks of this.

It may be necessary to even recreate the "birdcage" user account
between invocations of this, since a site visitor could potentially do
some interesting things to the account from scripts they submit.

You should do some research on the security risks of this as well as
pay attention to the "that's a dumb idea" messages that I am expecting
to be posted in reply to my suggestion.

-Michael Placentra II

26/02/2008, 08h58

Omega wrote:
> I'm interested in adding custom scripting functionality to my PHP
> site. Are there any implementations of languages such as JavaScript,
> LUA, AWK etc... available for PHP?
>
> I want to create an environment where I can populate some objects/data
> structures and create an API for users to conduct their own customized
> logic.

Sounds dangerous, but interesting too ;-)
What functionality, and use-cases are you thinking of?

--
Freundliche Grüße,
Franz Marksteiner

26/02/2008, 11h28

Omega wrote:

> I'm interested in adding custom scripting functionality to my PHP site.
> Are there any implementations of languages such as JavaScript, LUA, AWK
> etc... available for PHP?

Check out the "perl" and "python" modules in PECL <http://pecl.php.net>.

Also worth considering is the "runkit" module to which allows you to
dolots of interesting nifty things like redefine existing functions (even
built-in functions) and define your own superglobals. Of interest to you
though is that it enables you to take some PHP code (in a string), syntax
check it, and run it in a sandbox.

Disclaimer: runkit is really weird and somewhat dangerous. You will
probably break your whole server, but you'll have a fun time doing it.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 27 days, 17:38.]

Bottled Water
http://tobyinkster.co.uk/blog/2008/02/18/bottled-water/

27/02/2008, 02h22

On Feb 26, 2:58 am, "Franz Marksteiner" <franzmarkstei...@gmail.com>
wrote:
> Omega wrote:
> > I'm interested in adding custom scripting functionality to my PHP
> > site. Are there any implementations of languages such as JavaScript,
> > LUA, AWK etc... available for PHP?
>
> > I want to create an environment where I can populate some objects/data
> > structures and create an API for users to conduct their own customized
> > logic.
>
> Sounds dangerous, but interesting too ;-)
> What functionality, and use-cases are you thinking of?
>
> --
> Freundliche Grüße,
> Franz Marksteiner

Very simple condition testing. Stuff akin to "If current user is
[member of blah] and current function is [blah], return [true/
false]". I'm not so much interested in implementing this logic inside
of the SQL server as I want it to be configurable and I do not want to
get involved with stored procedures (dark path).

I am wondering if it would be safer for me to put the extra effort and
come up with my own mini language for this stuff. But then that seems
redundant and I would be spitting in the face of so many better, more
full featured yet strangely absent implementations of the same idea!
It will be hardly dangerous as the scripts will only be allowed to
work with information provided to them in their sandbox (or scope-
box). The API will be very specific and the whole routine will be
required to return true or false, or other simple structures.

The scripts won't have a large presence in the site and have very low
exposure to regular users based on the functionality I would like them
for - obviously that doesn't excuse the risk. But I kind of figured
with my awareness of security and such, it is still not a threat.
I'm surprised this hasn't come about sooner as PHP has been so
versatile and "with it". I assume it is only a matter of time before
somebody picks up the php-js project and really slams spidermonkey and
PHP together for some interesting options.

27/02/2008, 02h25

On Feb 25, 6:55 pm, Mike Placentra II
<nothingsoriginalontheinter...@gmail.com> wrote:
> On Feb 25, 11:32 am, Omega <atrau...@gmail.com> wrote:
>
> > I'm interested in adding custom scripting functionality to my PHP
> > site.
> > I'm not averse to
> > creating a secondary limited PHP environment within my script either
> > if that is possible.
>
> In a *nix environment it would be possible to run any sort of command-
> line interpreter under the privileges of another user. The server had
> better have well thought out permissions set on all of it's files,
> though. Of course, your PHP script needs to be carefully planned as
> well. I would still be wary about the security risks of this.
>
> It may be necessary to even recreate the "birdcage" user account
> between invocations of this, since a site visitor could potentially do
> some interesting things to the account from scripts they submit.
>
> You should do some research on the security risks of this as well as
> pay attention to the "that's a dumb idea" messages that I am expecting
> to be posted in reply to my suggestion.
>
> -Michael Placentra II

Michael, personally I'd like to avoid invoking commandline. I don't
think it would meet my needs either given that I would like to
configure the environment to some degree (provide a kind of API). As
well, the inherent security risks are obvious.
For sure I'm no novice in all this, I've simply found myself without
an obvious solution

Thank you though and I'm sure others that find this discussion will at
least benefit from what we say!

27/02/2008, 02h28

On Feb 26, 5:28 am, Toby A Inkster <usenet200...@tobyinkster.co.uk>
wrote:
> Omega wrote:
> > I'm interested in adding custom scripting functionality to my PHP site.
> > Are there any implementations of languages such as JavaScript, LUA, AWK
> > etc... available for PHP?
>
> Check out the "perl" and "python" modules in PECL <http://pecl.php.net>.
>
> Also worth considering is the "runkit" module to which allows you to
> dolots of interesting nifty things like redefine existing functions (even
> built-in functions) and define your own superglobals. Of interest to you
> though is that it enables you to take some PHP code (in a string), syntax
> check it, and run it in a sandbox.
>
> Disclaimer: runkit is really weird and somewhat dangerous. You will
> probably break your whole server, but you'll have a fun time doing it.
>
> --
> Toby A Inkster BSc (Hons) ARCS
> [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
> [OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 27 days, 17:38.]
>
> Bottled Water
> http://tobyinkster.co.uk/blog/2008/02/18/bottled-water/

Toby, bravo! Thank you!

I will start reading up on this, even the first paragraph sends
shivers up my spine:

"The runkit extension provides means to modify constants, user-defined
functions, and user-defined classes. It also provides for custom
superglobal variables and embeddable sub-interpreters via sandboxing."

I'm surprised I didn't find this earlier as I had scoured the PHP site
for instances of the word "sandbox"...Go figure.

Take care and I'll post updates here depending on whether this works
out or not.

25/02/2008, 16h32	#1
Omega Messages: n/a Hébergeur:	User-scripting within PHP I'm interested in adding custom scripting functionality to my PHP site. Are there any implementations of languages such as JavaScript, LUA, AWK etc... available for PHP? I want to create an environment where I can populate some objects/data structures and create an API for users to conduct their own customized logic. Originally I was interested in JavaScript, but it seems like the only offering that seemed close to what I want (php-js) does not receive updates anymore. I would like something that is still being maintained so that it can keep up to date. Also, please consider this paragraph a disclaimer for the usual "Why would you want to do that?!" and other distractions. I am interested in creating a sandboxed environment and security is obviously a goal in my design... Any suggestions and alternatives are welcome! I'm not averse to creating a secondary limited PHP environment within my script either if that is possible... It is the functionality I want and I'll take it in any form I can get!

26/02/2008, 00h55	#2
Mike Placentra II Messages: n/a Hébergeur:	Re: User-scripting within PHP On Feb 25, 11:32 am, Omega <atrau...@gmail.com> wrote: > I'm interested in adding custom scripting functionality to my PHP > site. > I'm not averse to > creating a secondary limited PHP environment within my script either > if that is possible. In a *nix environment it would be possible to run any sort of command- line interpreter under the privileges of another user. The server had better have well thought out permissions set on all of it's files, though. Of course, your PHP script needs to be carefully planned as well. I would still be wary about the security risks of this. It may be necessary to even recreate the "birdcage" user account between invocations of this, since a site visitor could potentially do some interesting things to the account from scripts they submit. You should do some research on the security risks of this as well as pay attention to the "that's a dumb idea" messages that I am expecting to be posted in reply to my suggestion. -Michael Placentra II

26/02/2008, 08h58	#3
Franz Marksteiner Messages: n/a Hébergeur:	Re: User-scripting within PHP Omega wrote: > I'm interested in adding custom scripting functionality to my PHP > site. Are there any implementations of languages such as JavaScript, > LUA, AWK etc... available for PHP? > > I want to create an environment where I can populate some objects/data > structures and create an API for users to conduct their own customized > logic. Sounds dangerous, but interesting too ;-) What functionality, and use-cases are you thinking of? -- Freundliche Grüße, Franz Marksteiner

26/02/2008, 11h28	#4
Toby A Inkster Messages: n/a Hébergeur:	Re: User-scripting within PHP Omega wrote: > I'm interested in adding custom scripting functionality to my PHP site. > Are there any implementations of languages such as JavaScript, LUA, AWK > etc... available for PHP? Check out the "perl" and "python" modules in PECL <http://pecl.php.net>. Also worth considering is the "runkit" module to which allows you to dolots of interesting nifty things like redefine existing functions (even built-in functions) and define your own superglobals. Of interest to you though is that it enables you to take some PHP code (in a string), syntax check it, and run it in a sandbox. Disclaimer: runkit is really weird and somewhat dangerous. You will probably break your whole server, but you'll have a fun time doing it. -- Toby A Inkster BSc (Hons) ARCS [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux] [OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 27 days, 17:38.] Bottled Water http://tobyinkster.co.uk/blog/2008/02/18/bottled-water/

27/02/2008, 02h22	#5
Omega Messages: n/a Hébergeur:	Re: User-scripting within PHP On Feb 26, 2:58 am, "Franz Marksteiner" <franzmarkstei...@gmail.com> wrote: > Omega wrote: > > I'm interested in adding custom scripting functionality to my PHP > > site. Are there any implementations of languages such as JavaScript, > > LUA, AWK etc... available for PHP? > > > I want to create an environment where I can populate some objects/data > > structures and create an API for users to conduct their own customized > > logic. > > Sounds dangerous, but interesting too ;-) > What functionality, and use-cases are you thinking of? > > -- > Freundliche Grüße, > Franz Marksteiner Very simple condition testing. Stuff akin to "If current user is [member of blah] and current function is [blah], return [true/ false]". I'm not so much interested in implementing this logic inside of the SQL server as I want it to be configurable and I do not want to get involved with stored procedures (dark path). I am wondering if it would be safer for me to put the extra effort and come up with my own mini language for this stuff. But then that seems redundant and I would be spitting in the face of so many better, more full featured yet strangely absent implementations of the same idea! It will be hardly dangerous as the scripts will only be allowed to work with information provided to them in their sandbox (or scope- box). The API will be very specific and the whole routine will be required to return true or false, or other simple structures. The scripts won't have a large presence in the site and have very low exposure to regular users based on the functionality I would like them for - obviously that doesn't excuse the risk. But I kind of figured with my awareness of security and such, it is still not a threat. I'm surprised this hasn't come about sooner as PHP has been so versatile and "with it". I assume it is only a matter of time before somebody picks up the php-js project and really slams spidermonkey and PHP together for some interesting options.

27/02/2008, 02h25	#6
Omega Messages: n/a Hébergeur:	Re: User-scripting within PHP On Feb 25, 6:55 pm, Mike Placentra II <nothingsoriginalontheinter...@gmail.com> wrote: > On Feb 25, 11:32 am, Omega <atrau...@gmail.com> wrote: > > > I'm interested in adding custom scripting functionality to my PHP > > site. > > I'm not averse to > > creating a secondary limited PHP environment within my script either > > if that is possible. > > In a *nix environment it would be possible to run any sort of command- > line interpreter under the privileges of another user. The server had > better have well thought out permissions set on all of it's files, > though. Of course, your PHP script needs to be carefully planned as > well. I would still be wary about the security risks of this. > > It may be necessary to even recreate the "birdcage" user account > between invocations of this, since a site visitor could potentially do > some interesting things to the account from scripts they submit. > > You should do some research on the security risks of this as well as > pay attention to the "that's a dumb idea" messages that I am expecting > to be posted in reply to my suggestion. > > -Michael Placentra II Michael, personally I'd like to avoid invoking commandline. I don't think it would meet my needs either given that I would like to configure the environment to some degree (provide a kind of API). As well, the inherent security risks are obvious. For sure I'm no novice in all this, I've simply found myself without an obvious solution Thank you though and I'm sure others that find this discussion will at least benefit from what we say!

27/02/2008, 02h28	#7
Omega Messages: n/a Hébergeur:	Re: User-scripting within PHP On Feb 26, 5:28 am, Toby A Inkster <usenet200...@tobyinkster.co.uk> wrote: > Omega wrote: > > I'm interested in adding custom scripting functionality to my PHP site. > > Are there any implementations of languages such as JavaScript, LUA, AWK > > etc... available for PHP? > > Check out the "perl" and "python" modules in PECL <http://pecl.php.net>. > > Also worth considering is the "runkit" module to which allows you to > dolots of interesting nifty things like redefine existing functions (even > built-in functions) and define your own superglobals. Of interest to you > though is that it enables you to take some PHP code (in a string), syntax > check it, and run it in a sandbox. > > Disclaimer: runkit is really weird and somewhat dangerous. You will > probably break your whole server, but you'll have a fun time doing it. > > -- > Toby A Inkster BSc (Hons) ARCS > [Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux] > [OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 27 days, 17:38.] > > Bottled Water > http://tobyinkster.co.uk/blog/2008/02/18/bottled-water/ Toby, bravo! Thank you! I will start reading up on this, even the first paragraph sends shivers up my spine: "The runkit extension provides means to modify constants, user-defined functions, and user-defined classes. It also provides for custom superglobal variables and embeddable sub-interpreters via sandboxing." I'm surprised I didn't find this earlier as I had scoured the PHP site for instances of the word "sandbox"...Go figure. Take care and I'll post updates here depending on whether this works out or not.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email