views:

957

answers:

2

I want to execute a php-script from php that will use different constants and different versions of classes that are already defined.

Is there a sandbox php_module where i could just:

sandbox('script.php'); // run in a new php environment

instead of

include('script.php'); // run in the same environment

Or is proc_open() the only option?

PS: The script isn't accessible through the web, so fopen('http://host/script.php') is not an option.

+3  A: 

There is runkit, but you may find it simpler to just call the script over the command line (Use shell_exec), if you don't need any interaction between the master and child processes.

troelskn
About runkit; it does not seem to sandbox well by description, or I maybe should say easy.You can forbid functions, but I would rather like to forbid ALL but those in a provided list. If an user needs a function I can evaluate its safety by hand upon request.It seems like the only way is to write a custom made interpreter. If speed is an issue you can make it convert its AST into PHP or an other language, this is actually what I'm gonna do now as I could not find a ready solution.Cheers!Ps. Yes, I saw that this Q is old. Ds.
Frank
Well .. Good luck finding something that can parse PHP into an AST ;) I concur with your point though.
troelskn
FYI runkit seems to be abandoned and you'll probably want to compile either the CVS version or one of the patched versions (http://github.com/tricky/runkit) if you want to run it on a modern version of PHP
Eli
+1  A: 

Also, you should look at the backtick operator:

$sOutput = `php script_to_run.php`;

This will allow you to inspect the output from the script you are running. However, note that the script will be run with the privileges you have, but you can circumvent this by using sudo on Linux.

This approach also assumes that you have the PHP CLI installed, which is not always the case.

Vegard Larsen