phpBB Academy at StarTrekGuide

[chaoskreator Jason]

I know I should probably post this over at .com, but I'm still having issues with my account over there, so I figured I would just post it here...

I'd love to see the ability to use PHP in the replacement for bbcodes. This would open up never-before-seen levels of interactivity for users of phpBB. Javascript and HTML is just not flexible enough to do many things.

[Erik Frèrejean]

This would open up never-before-seen levels of interactivity for users of phpBB.

I really hope you mean "This would open up never-before-seen levels of security issues for users of phpBB.". Allowing users to post php is an even worse idea than allowing javascript/html.

[chaoskreator Jason]

I realize that serious security measures would have to be taken, but just imagine what you could allow users do (other than hacking the site. lol.). But with the right security, I think it would be awesome.

[gygasync Igor]

Yes it would be cool but security is in stake, maybe only if someone developed some programming code that is just between html/js and php.So we would have security. If you want php to do simple tasks it would be ok

[chaoskreator Jason]

AJAX has the ability to work between the client and server, performing database queries via PHP and whatnot. But why write long, tedious scripts when the same could be accomplished in just a few simple PHP functions and SQL queries? IDK. I still think there would be an easy way to implement the security. The request_var() function cleanses input. sql_escape() cleanses before database queries. How much more security is needed?
I've been meaning to look into the issue further, but I just haven't had time yet.

[topdown]

Allowing PHP is allowing commands.

It would be no different than letting me or anyone control your server via command line at any given time.
You would have to write an endless security class to disable 99% of the PHP core, which would be ridiculous.

I don't see the point in having PHP in BBcodes, PHP is a server side language, why would you want to give users that ability?
There is no real benefit that I can think of.

[Obsidian]

Some basic logic conditionals would be nice, IMO.

if (X) display Y, else display Z...etc.

[chaoskreator Jason]

I'm not necessarily talking about allowing users themselves use PHP. I mean more like:
A user enters bbcode with an integer as the value
Say the replacement for that particular bbcode is a simple function that accepts the variable as a parameter (yes, I realize this is basically letting users execute PHP)
When the bbcode is actually posted, $input = (int) request_var('input', 0); would ensure the parameter to be passed is in fact an integer only. Other checks can be made to ensure that no strings are allowed.
When the checks are passed and the function is executed, the sql_escape() function can then be used once again to ensure the state hasn't changed from an integer.
It would require extensive testing to make sure things like

Code: Select all

mal_func([bbcode_func]1[/bbcode_func])


couldn't be executed and that user's can't just type in functions or PHP scripts and have them executed.

[Obsidian]

Sounds like a way for someone to misuse dangerous built-in PHP functions.


A full PHP parsing system (like something that would make use of the eval() function) would be too dangerous; the best and most secure way to do it would be with a pseudolanguage which would only provide the most basic programming elements, such as a basic input (which is already provided), if/elseif/else, switches, and other basic logic implements. Anything further would be ridiculous and be begging for exploitation.

[chaoskreator Jason]

Hmmm... Then I suppose it's back to blundering through AJAX database queries.