ID: 24732
User updated by: nightcat at poczta dot onet dot pl
Reported By: nightcat at poczta dot onet dot pl
Status: Open
Bug Type: Feature/Change Request
Operating System: *
PHP Version: 5.0.0b1 (beta1)
New Comment:
One more advantage of this would be situation like when i'm creating
CMS and i want to be sure that in whole application mysql connection
will be handled by my objects, not by mysql_* functions. Now, i have no
way to do this.
Previous Comments:
------------------------------------------------------------------------
[2003-08-11 09:05:10] nightcat at poczta dot onet dot pl
It's not a solution. As i said, there is no secure way to do it being
on a same level as "controled" script. And what if unsecure function
will be hidden inside a string (ROTted or other way mixed) and evaled?
I really belive that a way to make some areas "unsecure" from inside a
PHP core would be much better.
------------------------------------------------------------------------
[2003-08-09 15:10:24] dpenning at s0nix dot de
you can scan the file using the tokenizer and decide yourself if it is
secure
------------------------------------------------------------------------
[2003-07-20 17:25:03] nightcat at poczta dot onet dot pl
Description:
------------
Basicly, everyone who creates CMS at some point want to add modules, or
any other type of space for additional code.
But also we want this code to be signed as "untrusted", because we
_are_ afraid about this code (we don't know).
It would be really great to be able to lock some things for include
code. I don't have any clear vision of this, but i'll try to paste
example of my intention.
Reproduce code:
---------------
lock_variables($db->password, $accountPassword);
block_functions(mail, fopen, file);
include_once('module.inc');
unblock_functions(mail, fopen, file);
unlock_variables($db->password, $accountPassword);
Expected result:
----------------
It's only idea.
I'd expect that from inside of this include (and any recursive) there
want be any possiblity to use those functions and modify those
variables.
Secondly it would be really _great_, if if functions called from inside
of include could use everything normally. For eg. there won't be any
way to modify DB password (which is property of object $db) but calling
$db->connect would work normally (if it's not blocked by
block_functions() ).
Actual result:
--------------
There is really no way in PHP4 to prevent some untrusted parts from do
what they want with whole CMS. In PHP5 i can do it but in very tricky
and dirty way.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=24732&edit=1
