I would be very concerned about letting users post executable code of any kind on your site. When you have functions that require user-supplied information with your site, it would be best to limit the users' submissions to query data and only use that information after those submissions have been cleansed of potential hacking code.

Sorry rainborick, I should have been more clear. They would insert the PHP (or whatever) onto their own pages. The tool generates some codes which they are advised to include on a specific page of their site in order to hook into an account (they will have created with the same tool) and pull data out of their area of the database. Some of the code they are asked to include will authenticate them.

Try searching for: Parse HTML as PHP

There should be plenty of results to tell you (and those who use your system) how to do what they need to. It's usually either AddType or AddHandler in the .htaccess. There's another way to do it with mod_rewrite, but those are probably the best.

Thanks, TheMadScientist, I will take a look.

They would insert the PHP (or whatever) onto their own pages.

You are wise to re-assess rainborick's comment. Although the standard reaction is "my users won't ever do that" it's not your legitimate users you need to worry about. If you do allow this, you will have to be extremely careful with exactly **what** PHP code is allowed to slip through.

As rocknbil and rainborick have said, you are opening your site up to injection when you do this.

Instead, you should be looking for every way possible to prevent people from being able to execute their own code on your server.

It only takes one spammer to discover your site allows it and every blackhat spammer in Russia, China, Romania, and elsewhere will soon know about it.

Yeah, I didn't notice what these more recent posts are about when I posted or I would have suggested the same thing... You will still need them to be able to parse HTML as PHP, but you are waaaaaaay better off to force them to include a file from your server to present the data on their site and enter data into the database by visiting your site.

A Note: It's very difficult to do, but you *can* do what you need to with them being able to enter information on their site... How difficult? I wrote a system a few years ago that did it and without looking at it and digging through the code I can't remember how. It has to do with php files, txt files, mod_rewrite, the server parsing each file and the processing order of the files, but that's the best I can tell you off the top of my head.

On a basic level, you can use exec() in PHP to run any PHP code in a text string

If I summarise the structure of the simple code (without reproducing the actual code), it would be appreciated if someone could tell me if they think it is likely to be hack-proof.

Any code they are told to include on their pages is only available via instructions given to them after they have successfully logged into their account with a username and password.

At the top of the page they would be instructed to include something like
<?php
include_once(<path to an include file residing on MY webserver>);
$var = new myclass("user_id","project_name"); // neither string contains passwords, SQL etc.

Then at specific places in the same web page, they are instructed to include:

<>php myclass->method(#); // where # is a digit in range 1 to 9 and not an ID, password, piece of SQL or anything like that

I personally can't see how any of the above is unsafe unless is would be possible for any potential hacker to view the content (in terms of the PHP) of the include file, but then again I am not an expert in this area.

Sorry, the 1st bit of PHP is of course closed with ?> and the 2nd bit should read:

<?php myclass->method(#); // where # is a digit in range 1 to 9 and not an ID, password, piece of SQL or anything like that
?>

It would be better to keep these configuration aspects as text rather than PHP code; use placeholders in the HTML and then scan for them, replacing them 'on the fly' with the result.

Not sure how that would work, vincevincevince. Does that not essentially mean that the user would have to be instructed to insert code in a newly invented scripting language and I'd have to develop an interpreter and get the user to install that on his/her webserver? I do not understand what you are suggesting and what is wrong with sticking to PHP (apart from the apparent hacking potential). At the moment, I am still under the impression that the code I have summarised above is hack-proof but I would appreciate some feedback on this. By the way, in the SQL in the include file I would follow the advice on metatitan<dot>com<slash>php<slash>16<slash>protecting-your-phpmysql-queries-from-sql-injection<dot>html and dev-exchange<dot>com<slash>cms_view_article<dot>php?aid=10 to prevent anything being injected in the calls

$var = new myclass("user_id","project_name") and myclass->method(#) (see above)

and then it looks like everything will be hacker-proof. Will it not?

What stops them trying to write something else in PHP? such as "unlink()" or start reading the code in someone else's file using fopen fread?

I'd have two files involved; one a template which is all they can access via FTP, and the second a bit of parsing code, which is PHP that only you can access. Don't give them any permission to create files in a PHP enabled path.

At the top of the template they can specify:
userid=44
project_name=foo

Your code can do a preg_match to pull those out and remove them from the output.

In the template they might write: "**METHOD4**

Your code would recognise that and str_replace it with the result of ->method(4)

Thanks for the advice, vincevincevince. So the danger is revealing the path to my include file. Is that it? Three things I don't understand. 1) For the PHP file I do give them access to (containing the call to preg_match), would they not have to include that in their page anyway so I'd still be revealing the path to a location on my webserver? 2) Are you saying that rssfeedreader.com are open to being hacked as well, because I found this page [rssfeedreader.com...] (rssfeedreader<dot>com<slash>php.html) where they are asking their users to do exactly the same kind of thing as I had originally planned? 3) My company website comprises of web pages with the .php extension e.g. www<dot>alcander<dot>co<dot>uk<slash>index<dot>php so I am revealing paths to php files just by having a php enabled website.

Or have I totally misunderstood something here?

Are your users including this code on YOUR server, or on THEIR server? Never allow your users to include PHP code on YOUR server if you know what's good for you. Instead, find a way for them to configure the output without writing code itself. If this is something they install on their own server then let them have the security headache themselves.

If you are talking about references / includes between two servers or sites, you cannot usually write:

include("http://foo.bar/something.php");

The server at foo.bar will only return the HTML output from the page to a http:// request... it will not return the PHP code, no classes will be initialised in the server that includes it, etc.

To 'include' a file from another server or site, you will need to output that file as plain text and then parse it with eval(). eval(file_get_contents("http://foo.bar/something.txt")); where something.txt is your PHP source code.

Thanks, vincevincevince (and sorry for slow reply). They are instructed to include the code in a page on their server. The path to the include file is to my webserver where the include file will reside. I will experiment with what you suggest i.e. using eval etc. and post my finding here, though it may be sometime next week. The solution will need to initialise a class on their server, so it sounds like I need eval.

Might I suggest you switch technologies and use Javascript instead?

<script src="http://foo.bar/load.php?argument=4&argumentb=44"></script>

You can then do all kinds of beautiful stuff client side. Your load.php file should output JAVASCRIPT not HTML. That allows you to insert content into the page or even edit content already on the page.

Thanks vincevincevince. I think it needs to be server-side, but correct me if you think I am wrong, because the user will have created an account (in a different tool which runs completely on my server - let's call this tool X) and saved data in a database (again, situated on my server). Once done, the code he/she includes on his page (as advised by tool X) has to access the database, pulling out the data and dynamically loading it into his webpage (in a certain way to fulfill the purpose of the whole system, which I can't reveal here). If he later uses tool X to access the database and modify his data, he/she does not have to re-include the code on his/her webpage. As javascript is client side, I don't think this can be achieved unless tool X generates the javascript to be included and the user is prepared to re-include the javascipt every time he/she has changed the data via tool X.

Philiboy; almost right. The page references the javascript directly on your server:
<script src="http://foo.bar/load.php?argument=4&argumentb=44"></script>

Where foo.bar is your server, and the arguments are whatever details are required to load the right data. If you need more security, use a hash or something similar.

Think of, for example, Google Adsense - it modifies the page (by adding adverts) - loading them fresh each time from Google via the javascript inclusion. This is what I would advise in most cases.

vincevincevince; I think you slightly misread by last post. Basically I was saying that I understand that javascript can't do database interaction because it's client side. Server side scripts like PHP are designed to do that. And I want the code (that gets included) to grab data out of the database. Or am I wrong in my assumption about javascript?

One thing I didn't clarify is that each time the user's page is refreshed, it should re-access the database so the same data is not necessarily presented each time.

Is your recommendation (to use javascript) because you think my PHP based solution is open to hackers?

I don't think that your system is going to do what you think, based on the way you describe it.

However, Javascript is a good way to do what I suspect you do want to do.

I will try to explain again:

Your server contains a script 'foo.bar/load_data.php'

It accepts some basic parameters which request the right output ('foo.bar/load_data.php?a=44&b=31)

It outputs Javascript not HTML. Yet; it is PHP and so its output is directly driven by your database on your server.

This load_data.php is included into the client's website using <script src=""></script>. That is a client side instruction and the end visitor's computer will get the script directly from YOUR server, and that script will output its data (or whatever) directly into the website that included it.

Thanks for taking the time to reiterate. It makes sense now. Will post here again if I have any trouble implementing what you suggest but it may be weeks away as I am working on other things.