E-learning PHP application secuirty

[metallicrazy]

I am currently creating an e-learning application for my honours project (This will not go live or be distributed for profit) that teaches php to brand new users however there will obviously be experienced users using the application as well and they will try to attack it or bring it down. My code to process the user input for malicious code strings before it is run thru an eval(); is below.If any of the banned words are found it returns false and the user input never gets near an eval() function. If no banned words are found then it returns true and the input (PHP CODE) is run thru an eval(); and the results checked to see if the user input had the desiered effect (e.g. change the value of a local variable inside a function) Any major security issues that anyone can see or advice on making my applicaton more secure is greatly appreciated. P.s. Any feedback used in the application will be 100% referenced to avoid accusations of plagerism.

function checkPHP($input){// array of denied words.$deniedWords = array(	  //PHP tags	  '<?',	  '?>',	  '?',	  'PHP',	  'script',	  //Session Variables	  '$_SESSION',	  '$_GET',	  '$_POST',	  '$_GLOBALS',	  '$HTTP_POST_VARS',	  'GLOBAL',	  'SESSION',	  'SERVER',	  'GET',	  'POST',	  'COOKIE',	  'REQUEST',	  'FILE',	  //Escape chars on session variables	  '$_',	  "'_'",	  "'\$'",	  "'\_'",	  '\$',	  '\_',	  "$'",	  "'$",	  "_'",	  "'_",	  '\\',	  '/',	  '_',	  //Commands that parse code as PHP	  'INCLUDE',	  'REQUIRE',	  'EVAL',	  //Shell commands	  'SYSTEM',	  'EXEC',	  '`',	  'SHELL',	  'passthru',	  'popen',	  'DROP',	  //PHP core functions	  'magic_quotes',	  'base64_decode',	  'scandir',	  'file_',	  'unlink',	  'get_defined_functions',	  'get_defined_vars',	  'get_defined_constants',	  'get_loaded_extensions',	  'assert_options',	  'assert',	  'dl',	  'extension_loaded',	  'gc_collect_cycles',	  'gc_disable',	  'gc_enable',	  'gc_enabled',	  'get_cfg_var',	  'get_current_user',	  'get_defined_constants',	  'get_extension_funcs',	  'get_include_path',	  'get_included_files',	  'get_loaded_extensions',	  'get_magic_quotes_gpc',	  'get_magic_quotes_runtime',	  'get_required_files',	  'getenv',	  'getlastmod',	  'getmygid',	  'getmyinode',	  'getmypid',	  'getmyuid',	  'getopt',	  'getrusage',	  'ini_alter',	  'ini_get_all',	  'ini_get',	  'ini_restore',	  'ini_set',	  'magic_quotes_runtime',	  'main',	  'memory_get_peak_usage',	  'memory_get_usage',	  'php_ini_loaded_file',	  'php_ini_scanned_files',	  'php_logo_guid',	  'php_sapi_name',	  'php_uname',	  'phpcredits',	  'phpinfo',	  'phpversion',	  'putenv',	  'restore_include_path',	  'set_magic_quotes_runtime',	  'set_time_limit',	  'sys_get_temp_dir',	  'version_compare',	  'zend_logo_guid',	  'zend_thread_id',	  'zend_version',		  'REFLECTION',	  'apc_',	  'apd_',	  'error',	  'debug_',	  'restore_',	  'trigger_',	  'override_',	  'rename_',	  'inclued',	  'flush',	  'ob_',	  'output_',	  'overload',	  'runkit_',	  'wincache_',	  'xhprof_',	  'rewrite',	  'file_exists',	  'fopen',	  'fwrite',	  'fclose',	  'ctype_alnum',	  'realpath',	  'is_file',	  'chdir',	  'mail',	  'preg'	  );$found = "";for($i=0;$i<count($deniedWords);$i++){ $badWordFound = stristr($input, $deniedWords[$i]);  if($badWordFound){   $found = $found."Do not use <span class=bold>".$deniedWords[$i]."</span> in you script. <br />";  }}if($found){  echo "For security reasons, some keywords and characters have been banned for use within user input. Currently your code contains banned words and will NOT be executed until these are removed: <br />" . $found;  return false;}else{  return true;}}

[birbal]

I am not sure about the purpose of the function and i am not sure how effective this validation will be.You have almost put everything in banlist including $_SESSION,$_GET,$_POST so on. I assume it is for testing php code for new learners. But if those are baned how the people going to test script without it? They are bquite obvious. The dangerous part of the eval() is it can parse arbitary user input. As your purpose is to parse aribatary user input ,so it is quite same as let user upload there file to server to get itexecuted.If you want restrict some function or anything other there is better option to disable or control it from php.ini. It could be done in more restriced and secured way from a modarated php.ini settings with a different envourment.

[metallicrazy]

Thank you for the response. I have compiled a comprehensive list of functions that I could think of, some of which may need to be removed but figured I'd plug the hole and then only open passages where necessary. The function is to test the user input from a text area inside a web app for the banned words.Your are correct, the application is intended to demonstrate the basic functionality of php and not advanced functionality. I have never been taught during my time at uni how to modify a php.ini file. Can you link me to a tutorial?

[Ingolme]

It seems to work. But if you're disallowing the underscore, you're basically not letting the user do anything at all except maybe a few mathematical operations.

[Ingolme]

This syntax also works to get around your block:

$a = 'un' . 'link';$a('test2.p' . 'hp');

[metallicrazy]

Is there a solution?Perhaps removing quotes, dots and white space before running the check?

[Ingolme]

If you keep removing stuff, it's going to end up being virtually unusable. You already are restricting a lot of things. People won't be able to make scripts like these:

// Example 1:echo "Hello, world?"; // Example 2:$my_var = 5 + 9; // Example 3:echo "I'm learning PHP. ";

[metallicrazy]

Yeh I am going to need to review what limitations I want to put on inputs. I do appreciate the feedback, it is giving me a lot to think about. Il allow the underscore but need to ensure I'm restricting all common dangerous functions that contain them. It is important that I find a solution to the concat work around though as that is a major loophole. If I were to cut back on restrictions, what would the main ones that should stay be?

[Ingolme]

I can't tell which ones should stay, but you can remove anything that's only one character or short sequences such as "dl". There are so many words that could have "dl" among their sequence.Is there any reason why you see $_GET, $_POST and $_COOKIE dangerous? A single search is probably not enough to find everything that could cause trouble. You have to be able to distinguish between what's in a string and what's out of it. And maybe what is a function call and what isn't.After that you can prevent the concatenation problem by using a regular expression that prevents the use of "$[something]("

[birbal]

Can you link me to a tutorial?

http://au2.php.net/m...en/ini.list.php here you can find the list of all settings. If you are in remote host they wont let you edit core ini. If you are runing on your server or any server which you have access to the core ini it can be edited through it. As most of the critical setting haave to be set it from core php.iniThere is more two ways for that using directory based php.ini nor ini_set() for runtime parsing. All settings are not able to set from runtim or directory based php.in. to disable function and classes there is option "disable_functions", "disable_classes" which can be set only from core ini. Check the lik above

[justsomeguy]

Things like this don't really succeed, you end up limiting PHP to the point that it's not usable. The things you are limiting are usually the very things that people want to try, like working with files. If you want to set up a test environment then use the development server feature in PHP 5.4 to set up a test server for each person where they can run whatever they want on their own computer. There's not much point in trying to provide a PHP shell for someone on your server where you restrict everything they do, it would be better to have them download and install PHP to give them access to the development server, and you can write your own testing environment that you can distribute which they install on the test server and then open your test environment to run whatever code they want to run on their own computer. Other than that, there are a million ways to get around your security checks. You need to actually disable the functions, not try to scan the code and detect every possible way that someone could execute something. I could use chr and str_replace to build whatever code string I want to execute, the answer to that problem is not to restrict access to chr and str_replace.