I'm making a web code tester application in PHP which is cappable of executing PHP and MySql codes directly. This gives the users the ability to test their webcodes on my website right away. However, I imagine such code brings a lot of (possible) security issues, as it just executes any code written inside a textbox by the user. So I was wondering: how do I make such a code tester to be secure? What I was doing so far is preg_matching all 'dangerous' PHP functions out of the user input code ( e.g. the function CHMOD ), but I'm not sure if it's realistic to do this for all possibly harming functions in PHP.
Any suggestions on how to make my script secure?
I don't really have an "answer" for you, but hopefully can offer some advice and a few things to think about...
This doesn't sound like an easy task. And the approach you're taking so far of stripping out "dangerous" code is definitely not a good idea. There's a lot of overlap between "code that can be made dangerous" and "standard code your users will want to be able to use."
It sounds like this task is going to run a lot deeper than just the code itself. The process on the server that executes the code will need to be sandboxed, the server itself should be sandboxed, etc. Some questions to ask yourself:
For example, is the PHP code being executed under, say, the same user context as your web server? Apache, for example? If so then user-submitted code could potentially be used to reconfigure your web server, opening it up for more vulnerabilities. Does it run as root or have trusted access to anything that runs as root?
The security implications of executing user-submitted code on your server go far beyond just the web application which accepts the code.