I have PHP shell and I want user to be able to call functions directly. I got it done. But then I found out that user can call even pre-defined functions like unlink and more. I think this is security hole so I want to restrict callable functions to only those which I have defined, e.g.:calling unlink wont work.
You can get the list of define functions with
get_defined_functions();
It will return an assoc array with user defined and internal functions. You can use that information to decide whether a functions is user defined or internal. (manual)
You can disable functions using the disable_functions INI setting (in your php.ini file).
For example:
disable_functions=unlink,fopen,file_get_contents [and so on...]
Related
I am familiar with built in php functions such as str_rev, str_replace, etc... Is there a way to enable our own custom functions to be automatically to a php document instead of being forced to use include or require?
In other words, I would like to make my own custom built-in like functions that can be called without having to include or require a file prior to function call. Can this be done?
Typically, I don't consider global functions a good idea, however, yes, you can create a file, anywhere on your server and included in the php.ini file like so:
auto_prepend_file = "/path/to/global_functions.php"
Your php.ini will most probably already have the auto_prepend_file property so you may need to locate it and avoid having duplicate properties.
I'm always using a function to write to a log file, but this function is defined in a file among many other things that I don't need to include.
I was wondering, is it possible to define a function somewhere inside php to make it available without the need to include the source file? Sort of like how I can just use echo or die, or isset. Could I create my own function to use it this way?
Thank you.
No. To do that, you'll have to write a PHP extension in C. Any PHP code will always need to be included explicitly one way or another.
PHP has the option to always automatically include a file at the beginning though: http://www.php.net/manual/en/ini.core.php#ini.auto-prepend-file
Actually, you need to make a module with your function.
Other ways:
make autoload. http://www.php.net/manual/en/language.oop5.autoload.php
put only this function to other file and include it everytime you need.
you can add you log class in set_include_path path or add this function to pear library class
My question is if it's possible to extend a declared function.
I want to extend mysql_function to add mysql query that insert into a table some logs : 'query' - the parameter of mysql_query, date,page...etc
My question is if it's possible to extend a declared function.
No.
You can extend a class method and call parent::methodname() to run the previous code (which is almost what you ask for), but for normal functions, there is no way to do this.
There are some esoteric PHP extensions that allow overriding functions, but I assume that's not what you need and their use is rarely practical.
What you probably want to do is create a new function, and call the existing function in it.
No, you cannot do that. Either enable the MySql Query Logs or wrap the code doing the queries into a Logging Decorator or use an abstraction like Zend_Db that can take a Profiler or use a transparent logging plugin for mysqlnd
You need to write a function that will take your query, log the sql first, runs your query, then return the results.
E.G
<?php
function mysql_query_log($sql)
{
mysql_query('insert into .... values ...');
$r = mysql_query($sql);
$results;
//do the normal thing you do with mysql here
return $results;
}
This is not extending a function though, you can only extend a class
It's not possible.
You should have created your own API (or use an existing one) to access the DB so when you need logging you can simply enhance your own API function. It also comes very handy if you need some custom error handling function. Refactor the code.
Well.. PHP says this: http://php.net/manual/en/function.override-function.php
from http://php.net/manual/en/function.rename-function.php
bool rename_function ( string $original_name , string $new_name )
Renames a orig_name to new_name in the global function table. Useful
for temporarily overriding built-in functions.
I believe that if you rename the original to original_mysql_query, then add your replacement function which does your logging and then calls original_mysql_query etc, that you will achieve your goal, assuming that you have the way to inject the rename on every page that will call MySQL_query. Most large sites have common code that is included at the top of every page that could do that for you.
There is also a built in php function called override_function (mentioned by ChrisH). It is not fully documented in the php man page but the user comments below the doc give you the information that you need to use it if you prefer it to the rename_function function. There was a discussion about being limited to one override if you needed to call the original function from the replacement. Using the rename_function instead of the override function eliminates that potential restriction.
I wonder it is possible to use Boost.PHP to replace some PHP core functions logic and/or extend them. So What I want is simple: When a php script calls for require_once(dirname(__FILE__) . "/file.php"); I want to receive dirname(__FILE__) . "/file.php" with my function, create somehow that required file (in my case, go to some distributed storage), and return that file to PHP interpreter as if it was desired file.
Is it possible with Boost.PHP? How could I do such thing?
I don't know boost, but I doubt it, as they are language constructs, not functions.
You can however write your own wrapper for a stream / protocol (either define your own, like 'mywrapper://path/to/something', or you can override the file:// wrapper, but the latter means you'll have to keep flipping between override & normal, otherwise you cannot open files on your filesystem yourself :)
To change the beavior of a core php function you can use the runkit extension.
bool runkit_function_rename ( string $funcname , string $newname )
Note: By default, only userspace functions may be removed, renamed, or modified. In order to override internal functions, you must enable the runkit.internal_override setting in php.ini.
Please not that the extension is mainly used for unittesting and not used in production that often (as far as i know at least).
So you can to
runkit_function_rename("strlen", "org_strlen");
function strlen($string) {
return org_strlen($string + 1);
}
For things like require or isset that are language constructs and not functions see #Wrikken answer (+1)
I'm thinking about how to find from where any function was called. The problem is that I need to find where the PHP is calling mail() function. One way will be to use register_tick_function(), but I'll need to open each file and check what is on each line. The project is huge, it will take really long to parse each file in PHP. Any other way? Or option how to override the mail() function?
To override the built-in mail function, take a look at override_function which is part of the Advanced PHP Debugger PECL extension - then you can use debug_backtrace to find out the caller details...
//define code to override mail function (note I've used php5.3 nowdoc syntax to avoid
//the need to escape the dollar symbols!!
$code=<<<'CODE'
$trace=debug_backtrace();
$caller=array_shift($trace);
echo 'mail() called by '.$caller['function']
if (isset($caller['class']))
echo 'in '.$caller['class'];
CODE;
//install override
override_function('mail', '$to,$subject,$msg,$hdrs,$params', $code);
You can inspect the stack trace with debug_backtrace(). This will contain information about the calling method/function among others. See the manual for examples.
To add behavior to an existing function, wrap the function into your own function or class and then call this instead of the native function.
To completely redefine a native function, you'd have to install runkit. Then you could do runkit_redefine_function() (or use APD as suggested elsewhere).
If you just want to know where in your project mail() was called, e.g. you do not need to evaluate this at runtime, use your IDE's search function. Eclipse, Zend Studio and Netbeans can do file searches, so it should be very easy to find the calls and also to replace them.
The brute force approach would be to do a global search and replace in your code, replacing "mail\s(" with "my_mail(", then define my_mail and put whatever logging functionality you want there.
Why don't you simply search the source for "mail("?
I take it you have access to the source code?
Why not just use an editor like jEdit, and find all occurences of mail(* in all open buffers?
Or do you really need to know the line numbers at runtime? I can't imagine that you actually do.