> I learned to do this by studying Alfredo Pontillo and Angelo Mineo's
> R-php (http://dssm.unipa.it/R-php). Specifically, look at the file
> pages/result/index.php They have done lots of other good stuff in
> their project, like filtering dangerous commands - you would not want
> to let a user just type in any R code, because they could seriously
> damage your server.
This is incredibly hard to do with any programming language, and with
R in particular, as there are so many different ways of accessing a
function.
For example, try running the following on their demo site:
a <- get(paste("sys", "tem", sep=""))
a("ls /")
vs
system <- 5
print(system)
Not to mention the fact that the security check is only performed in
javascript, so could be trivially removed by turning off javascript or
performing the post directly.
Hadley
______________________________________________
[email protected] mailing list
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.
