Alternative to system('php -l')?

In a project I'm currently working for, we're considering putting system() into php.ini's disable_functions declaration. Now, one meta-module of ours which would ultimately also fall victim to this restriction is syntax-checking files with system("php -l"); calls - prompting me to hunt for alternatives.

Turns out there used to be a php_check_syntax(), but not only did that not restrict itself to merely checking syntax and went on to include the file if it was syntactically valid, but it's been removed as of PHP 5.0.5. The manual suggests php -l in its place, but given that I'm sure disabling system call functions in PHP is a fairly common practise, I'm wondering if there is an accepted, 'better' way of syntax checking PHP files from within PHP files.

(I'm not hell-bent on this, by the way; a 'no' perfectly suffices (and I expect it, really). We can excempt the module from this restriction - but I'm asking this question both out of curiosity as well as in hope of a more graceful solution.)

Ooh! Absolutely. That looks precisely like what I was looking for. I wonder if we have PECL runkit here -- off to investigate! Out of curiosity, do you know of any security advisories about this function (though they'd be anecdotal for me, the files being checked are trusted)?

pinkgothic 2010-10-05 08:40:28

as far as i can read it from the manual it should be safe because it just trys to parse the php file and then returns if the parsing was successfull. it shouldn't do any execution so i THINK it is safe ;-)

ITroubs 2010-10-05 08:43:27

Well, there have historically been security advisories for functions like `highlight_file()`, too, because you could get around the 'just parsing' that they were supposed to do with the right payload - hence the question. But, as I said, anecdotal - I'm not worried either way in my case, just a curious cookie.

pinkgothic 2010-10-05 08:46:51

ahh i get your point. well i don't have any experience using runkit so i can't tell anything about buffer overrun security problems. it was just a fast search i did

ITroubs 2010-10-05 08:51:29

Thank goodness other people's google-fu is better than mine! :) Thanks, ITroubs. (We don't have PECL runkit, but that can be remedied, so I'm accepting your answer. Thank you!)

pinkgothic 2010-10-05 09:03:26

after almost 10 years of googleing it becomes more effective to search something on google then to ask it in stackoverflow except when the answer is not given yet and therefore not in google

ITroubs 2010-10-05 09:14:03

"This command-line tool" -- I'm trying to go away from the command line, though - the idea is to forbid anything in PHP that calls it, after all (`system`/`passthru`/etc). Thanks nonetheless, though. :)

pinkgothic 2010-10-07 07:12:27

ansaurus

tags:

views:

answers:

Alternative to system('php -l')?

related questions