Oh, and I use PHP 4.3.9.

Hi,

Use the unset() [uk2.php.net] function.

Note that once you unset a variable it is no longer available throughout your program unless you assign a new value. Refer to the examples on the PHP.net website.

hi tata668, welcome to webmasterworld.

don't get confused by global variabels and global functions: a variable can be both (global and local) [de2.php.net], but a function [de2.php.net] is global anytime (different in classes): once defined, it exists globally.

i'm not aware of a way to unset a function later on.

and it seems to me, that you should think about another way of programming anyway if you need to redeclare your functions quite often. check out classes [de2.php.net], this might give you the structure you need in your programs.

[edited by: coopster at 7:35 pm (utc) on Feb. 10, 2005]
[edit reason] unlinked old url [/edit]

I know that what I'm trying to do here could sound like "bad programming" but my excuse is that it's part of a template engine based on massassi's [massassi.com].

I'd like my designer to be unable to access the global functions I have access to.

To set which variables he can access is pretty straightforward but I try to figure a way he couldn't access some functions too.

That "unset", if it can be applied to functions, could be a good idea since I call my templates' redering at the end of my scripts... So I won't need the global functions anymore anyway.

hakre: thanks for the welcome!

in this case i would suggest for you to create a class with all your functions in it you don't want to have "publicly" available.

you can then use your class quite simple and "unset" it later on (the class definition still exists but there is no more reference to it):

// include your class definition
include('MyClass.php');
$mine = New MyClass();
// execute one of your functions
$r = $mine->function_name(param,...)
...
// after everything is done, unset it
unset($mine);

after the unset function, $mine is not available any longer. but your designer could simply re-create it by

$mine = New MyClass();

again.

that's the only thing which comes into my mind right now as a "solution" for your problem.

I feel with you tata668, I've had similar mental skirmishes 'if only I could protect these things better', but I'm afraid that hakre is correct here - functions, once defined, can neither be redefined or undefined during execution.

If it is really absolutely essential that your designer not have access to these functions, you'd have to use a template system in which the files are read, not executed. E.g., .ini files which are read with

parse_ini_file()

, or similarly parsed from a template system which does not use

include()

for the templates.

I eventually figured that I'd just have to trust designers to some degree, and the best I could do was just prevent them from stealing my source by encoding it, and using include() nonetheless for templates. If they are allowed to upload code to your server into a 'live' php directory without your checking it, you already have such a huge amount of trust riding on that relationship that their being able to access your functions (if they are told not to) isn't such a big deal compared to, e.g., copying your files, or posting malicious code.

If you go with the 'read - not - execute' template type system, you can even put all this stuff in a directory that's not parsed by the php engine. No malicious code executable, they won't be able to cd / ls their way down into your code either.

Again, thanks for the help...
Webmasterworld seems to be a nice place!

hakre:
Thanks for the good idea. But like you said: it's not bullet proof.

mincklerstraat:
I'm not interested in using a template engin that doesn't use php directly (Smarty for exemple)! ;-)

Finally I think I'll have to trust the designer...

Do you know if a php syntax parser exists?

The designer could upload his templates to a directory and then log to a special webpage that would validate the php functions he used. If the templates are safe, they would finally be moved to a directory where they could be used.

Let's say the webpage's script first rejets all occurences of:
eval
require
require_once
include
include_once

Then it could use the php syntax parser to detect and disable other functions like fopen, db functions, etc.

Do you think it could work?

You might be thinking of the php token functions like

token_get_all()

[be.php.net]. These take php code and break it up into pieces in an array, each of which is assigned a string which corresponds to the type of syntax element that it is. So you could go through this array and look at all the tokens that are functions. This'd do the trick.

Excellent mincklerstraat!

Thanks